SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Enthusiast
    Join Date
    Aug 2009
    Posts
    97
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    php logout issue

    Hi

    I have written a logout script to clear the session vars and forward to another page see below:

    session_start();
    session_unset();
    session_destroy();
    session_write_close();
    setcookie(session_name(),'',0,'/');
    session_regenerate_id(true);
    include ("user-includes/mma-config.php");
    GoToAdminLogin();
    exit();

    On one hand it seems to work, however if I press the back button in the browser I can still get to a page
    I shoulnd't be able to access since I'm suppose to be logged out.

    How do I fix this?

  2. #2
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    4,827
    Mentioned
    142 Post(s)
    Tagged
    0 Thread(s)
    That is a caching issue, you can tell the browser not to cache that page using header (search for no-cache or cache expiration).

    You should see that since you are logged out, refreshing the page or submitting a form should redirect you to a login page.
    Be sure to congratulate xMog on earning April's Member of the Month
    Go ahead and blame me, I still won't lose any sleep over it
    My Blog | My Technical Notes

  3. #3
    SitePoint Member
    Join Date
    Oct 2012
    Posts
    20
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It is loaded from the browser cache.. but they may not be able to take action on page.? are they able to do it?

    Have a session variable at the start of page and check if it is isset and they redirect to login page. ( this will take care if the page is reloaded fresh)

  4. #4
    SitePoint Enthusiast
    Join Date
    Aug 2009
    Posts
    97
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi
    Yes they are able to perform an action on a page they are supposed to be logged out of

    Here is my code at the top of 1 page: - now that I look at it, I should be replacing session_start(); with a forward to a login page?


    if ((!isset($_SESSION['user'])) || (!isset($_SESSION['role'])) || (!isset($_SESSION['active'])))
    {
    session_start();
    }

    if ((isset($_SESSION['user'])) || (isset($_SESSION['role'])) || (isset($_SESSION['active'])))
    {
    if (($_SESSION['role'] != "admin") || ($_SESSION['role'] != "ltd"))
    {
    include ("../user-includes/mma-config.php");
    $_SESSION['error'] = "You are not authorized to access this area.";
    GoToOops();
    exit();
    }
    if ($_SESSION['active'] != "Y")
    {
    include ("../user-includes/mma-config.php");
    $_SESSION['error'] = "You are not authorized to access this area.";
    GoToOops();
    exit();
    }
    }

  5. #5
    SitePoint Member
    Join Date
    Oct 2012
    Posts
    20
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by kath View Post
    Hi
    Yes they are able to perform an action on a page they are supposed to be logged out of
    This is enough to remove the session session_destroy();

    Are you having login credentials in session. Is credentials validated on each page? it depends on how you had implemented the code.

  6. #6
    SitePoint Enthusiast
    Join Date
    Aug 2009
    Posts
    97
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi

    The login creds are validated on each page.

    However, I am unsure if I doing the coding correctly.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •