Secure Admin Login - Logout

for osCommerce Online Merchant v2.2

This contribution comes from the inspiration of Jason D. Agostoni who presented his code in an article on "Security and Sessions in PHP". His article and documentation can be found at: http://www.devarticles.com/c/a/MySQL/Security-and-Sessions-in-PHP/ I converted his code and made it work for the OSCommerce Admin Panel. This is totally PHP based code that uses sessions. There are not any javascripts or .htaccess files in this code. I was looking for code that is non-intrusive in the OSCommerce code structure and this did the job wonderfully!! I was concerned if this code would conflict with the Admin session ID: osCAdminID. In all of my testing I have not experienced any problems with it at all. One major security problem that we needed to solve is that anyone can use the backspace button on their browser to get back into secure areas on many web sites after logoff. We have merchants using their shopping carts in their stores where security is important from customers and other employees. Javascripts only work when people have javascripts enabled and .htaccess allows browsers to use the back button to gain access after logoff. I was able to add some code in the logoff.php file which writes a "logged off" tag to the session ID. This prevents anyone from gaining access again after logoff.

Files