Killing session from a form submission

Forum Moderators: coopster

Message Too Old, No Replies

Killing session from a form submission

how can I use session_destroy() with onSubmit?

RobOgden

11:37 am on Oct 23, 2004 (gmt 0)

I have a shopping cart page written in PHP. It is for listings. People can delete their listings (using one form button), and then go to secure payment (using another form with hidden fields containing the payment details). They mustn't be able to use the back button from the payment pages, as they could then alter their order after submission!
I wanted to have:
echo "
<form action=\"https://***" method=\"post\" onsubmit=\"";
unset($_SESSION['mySessionId']); session_destroy(); echo "\">
";

But I realise that the session_destroy overrides anything else, and doesn't only act on the onSubmit.

The secure payment pages are in HTML, so I can't put the session_destroy() there.

Any solutions anyone?!

ergophobe

4:21 pm on Oct 24, 2004 (gmt 0)

You can't do any PHP from the client side (i.e. with onsubmit events), so you'll need to submit to a PHP page and have it kill the session. Only a php page can safely destroy a php session -- anyone with a shell access and permissions on your session dir can kill sessions, but not safely ;-)

You could go to a PHP script that unsets the session and then redirects to the payment page, but you would then need a way of getting any post data from one page to the next, which you can't be doing with pure html either really, so you must either not be passing post data at this point or you've got some CGI script running.

Tom