SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    Don't eat yellow snow spaceman's Avatar
    Join Date
    Mar 2001
    Location
    Melbourne, Australia
    Posts
    1,039
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    sessions, logging out, and the BACK button.

    Whatever I try with session_unset, session_unregister, session_destroy (and I always session_start() first), I can't seem to prevent the possibility of the user clicking BACK on their browser and then refreshing - which gets them back into the old authenticated session without having to log back in.

    The only solution I've found so far (which is not very satisfactory) is to force the closing of the brower window with a bit of javascript, like so:

    echo "<p><a href=\"$thisfile?action=logout\" onClick=\"window.close()\">Logout</a><br>";

    I guess the problem is that the session variables are being cached by the browser. So even after I completely eradicate the existence of the session, a BACK page or two is capable of bringing the session back to life.

    Is there a solution to this problem that doesn't require the user to close their browser window?

    Hoping someone can advise. My guess is that there are a lot of people out there who *think* they've completely logged a user out of a session using session_unset/session_destroy, and don't realise that a BACK and a REFRESH are all that's required to revive the session.
    Web Design Perth Melbourne .:. Itomic Business Website Solutions
    Drupal Experts .:. Drupalise

  2. #2
    Don't eat yellow snow spaceman's Avatar
    Join Date
    Mar 2001
    Location
    Melbourne, Australia
    Posts
    1,039
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I _may_ have helped answer my own question (which I seem to have a habit of doing lately).

    The BACK + Refresh method was working when I was forcing my browser NOT to cache the content of each page using this little lot:

    header ("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); // Date in the past
    header ("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); // always modified
    header ("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
    header ("Pragma: no-cache"); // HTTP/1.0

    When I commented these lines out of my header - so that my browser is allowed to cache page content - it seems that after logout routine has run I now cannot hit the BACK button and then Refresh to restore my previous session.

    Hmmm....
    Web Design Perth Melbourne .:. Itomic Business Website Solutions
    Drupal Experts .:. Drupalise

  3. #3
    ********* Callithumpian silver trophy freakysid's Avatar
    Join Date
    Jun 2000
    Location
    Sydney, Australia
    Posts
    3,798
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hehe, you might want to try it out using netscape which I believe will allow you to repost the data from cache. I don't know what the answer is. I'm sure others have solved the problem. It is on my TODO list of things to learn because I have a very weak knowledge of sessions

  4. #4
    SitePoint Addict zoordaan's Avatar
    Join Date
    Feb 2001
    Location
    NYC/Texas
    Posts
    348
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Are you saving the sessions to a database?

    I save the session to database and if a user logs out the session is deleted. If the user hits the back button, they will see the previous page but if they try to do anything like submitting a form on the page, following a link, or refreshing the page they get a message that their session is not valid. I have a function on each page that checks to see if the session is valid (meaning it's a saved session in the database and it is not expired). This works for me in netscape and IE.

    I am letting the browser cache pages. I am wondering if I allow it not to cache pages if the session not valid message would come up if the user justs hit the back button. I imagine it would because the function that checks to see if a session is valid is the first thing executed in my script, if the session is invalid the user never sees the regular content of the page only the error message. I'll have to try it sometime.

  5. #5
    Don't eat yellow snow spaceman's Avatar
    Join Date
    Mar 2001
    Location
    Melbourne, Australia
    Posts
    1,039
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for that, zoordaan. Sounds like your solution is the 'ultimate' cross-browser answer to the problem. It's sort of frustrating that one has to go to this 'extreme' - not that your solution is that hard - it's just that with the explicit use of the unset and destroy functions one is led to believe that a session is well and truly deleted by their use. I'm not blaming PHP for this - it's just a feature of the environment in which we work.

    One more question - I've seen examples elsewhere of saving session ids to a database, and I've noticed that a little formatting is done to the session id prior to saving. Is it necessary/sufficient to addslashes prior to saving, and stripslashes after retrieving the session id, or is it necessary to perform additional formatting? In other words do you know what special characters could occur in a session id which need looking out for?

    Thanks again.
    Web Design Perth Melbourne .:. Itomic Business Website Solutions
    Drupal Experts .:. Drupalise


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •