Forum Moderators: coopster
The login uses SESSIONS and works fine but when the user logs out and clicks the browser "Back" button, the previous logged in page will still load in the browser window. If you Refresh, the window loads the Login page but the URL in the address bar doesn't change.
I have used the identical login/logout scheme on numerous other sites and, if the user is logged out and clicks the browser "Back" button, the previous page will NOT load and the browser is redirected to the login and the address bar reflects the login address.
This is what I have at the top of all the logged in (protected) pages:
<?php
session_start();
if (!isset($_SESSION['valid_user']) ¦¦ empty($_SESSION['valid_user']) ¦¦ $_SESSION['level']!== '1') {
Header("Location: [".$_SERVER['HTTP_HOST']."...]
exit;
}
?>
The logout script is:
<?php
session_start();
session_unset();
session_destroy();
?>
Not sure why the page will load if "Back" button clicked or why the Header("Location...."); doesn't appear to actually redirect the browser if user is not logged in. I've looked at the PHP versions on different sites that use the scheme and they're the same. It's the same host company but on a different shared hosting server than the other sites that work correctly.
I think it's one of those issues that's really more annoying than anything else but would like to solve it.
<?php
session_start();
$_SESSION['id'];
if(isset($_SESSION['id']))
{
session_unset();
session_destroy();
ob_start();
header("location: ../../login_frm.html"); // Back to login form
ob_end_flush();
}
?>
im not sure the way you use session's.
It shouldn't make a huge difference though. If you have your session authentication in an included file or function then include that on every single page, even if they can go back and see the page they won't be able to do anything with it.
I've tried clearing the session id and setting the session id cookie to empty and anything else I can think of.
To test I set the logout to set the session id cookie to '' (empty) and echoed it and when using "Back" it printed on the page after logging out but the page could not be refreshed so the session had been destroyed. The server php cache setting is "no-cache". So I'm wondering about a caching issue.
On all the other sites I have used this login/logout scheme there has never been any kind of issue and going back always redirects to the login page. As I stated before it's more annoying than anything because the page is not "workable". It just looks "insecure" to be able to go back once logged out.
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
// For example:
// session_name('mySession');
session_start();
$_SESSION = array();
session_destroy() [php.net];
I was able to destroy the session variables ok but was able to use the "Back" button to visit all the previous pages in the browser history without being bounced to the login until I reloaded the page which has never happened with this exact script and page check include.
try and make a case for the difference between this
$_SESSION = array();
session_destroy();
and this
session_unset();
session_destroy();
the manual is more than a little ambiguous on this point and the user comments recommend the opposite.
and back on point
pjgarrit, I think you might have to live with the annoyance, you seem to have done everything right but it seems to be messing with you anyway.
you could also try stepping it out, not sure if it will work.
use header to go to logout.php then have no output, just session nuking and then header again to login.php
tried your suggestion (which is kind of what khaki monster's logout does):
logout.php:
<?php
session_start();
$_SESSION = array();
if (isset($_COOKIE[session_name()])) {
setcookie(session_name(), '', time()-42000, '/');
}
session_destroy();
Header("Location: [".$_SERVER['HTTP_HOST']."...]
?>
I get redirected fine to /support/loggedout and
loggedout tests for any session variables and there are none set but I can still use the "Back" button to go back to the logged in page. If I click a link on that page, I get bounced to the login page.
(login, logout and loggedout are all .php pages rewritten to eliminate the .php extension.)
Thanks for the suggestions, all. I have other sites with this hosting company and the scripts work fine but they're on different physical servers. I think I'll request a move - lost confidence in this one.
since script has some "invisible" flaw and u are concern about security, have the logout script, redirect you to the login.php in a new browser window, while u close the current one (u can do this with javascript).
This way u send user to the desired page, while patching (in an awkawrd yet firm way) the security hole.
not much in helping with the code, but just an idea until u figure the problem
try and make a case for the difference
The biggest case would be the difference in speed and processor/memory use if you ask me. I'm not a developer/maintainer of the source code so I would love to hear their basis for the statement ... but that would be my guess. And some might disagree, perhaps state that this argument is marginal. But what if you have thousands of sessions running at any given time, or even tens of thousands? I try to write my code as efficient as possible so it will scale nicely. Even so, let's take a closer look ...
On the surface both methods seemingly do the same thing. However, the deprecated method incurs the overhead of a function call. A peek at the underlying source code shows the function call includes clearing the hash for any registered globals and registered long arrays (HTTP_SESSION_VARS) as well if they haven't been disabled in the php.ini. If you aren't using either, which you shouldn't be anymore as one is a security issue and the other is deprecated, then there is no need to incur the overhead of a funtion call -- just initialize the $_SESSION variable instead. Much faster.
Back to topic ...
pjgarrit, you don't happen to be using a custom session handler, do you?
// HTTP/1.1
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
// HTTP/1.0
header("Pragma: no-cache");
// Date in the past
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
// always modified
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
