samona Posted May 19, 2011 Share Posted May 19, 2011 Hi, I want to end a session when a registered user is asked to login again but enters the incorrect credentials. I'm destroying the session and taking the user back to the login page, but for some reason when s/he clicks "back" on the browser s/he is able to get back into her/his account. Any ideas? Quote Link to comment Share on other sites More sharing options...
jakebur01 Posted May 19, 2011 Share Posted May 19, 2011 You might could implement some sort of redirect or page refresh into some of your pages. Put it within an if statement so it doesn't continuously refresh or reload over and over. This is javascript, but I use it sometimes after a database insert or form submit to keep people from being able to refresh the page or hit the back button and submit the same form twice. <script type="text/javascript"> <!-- window.location = "http://www.google.com/" //--> </script> Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted May 19, 2011 Share Posted May 19, 2011 What do you mean by being able to access their account? Do they just see the page as if logged in or are they able to interact and do stuff with their account? Quote Link to comment Share on other sites More sharing options...
samona Posted May 19, 2011 Author Share Posted May 19, 2011 If an administrator is logged in and wishes to visit the admin pages he is required to login. However, if his login fails he is sent to the login page and his session is destroyed. Also, if a regular user attempts to login to the admin pages, his session is destroyed and he is sent back to the login page. However, if he clicks back, he is still able to get into his account. It seems as though the session isn't really destroyed. if (!$session->isAdmin()) { $session->destroySession(); header('Location: ../login.php'); exit(); } public function destroySession() { $_SESSION = array(); session_destroy(); } Quote Link to comment Share on other sites More sharing options...
DavidAM Posted May 19, 2011 Share Posted May 19, 2011 I don't know why they called it session_destroy(). It does not really destroy the session. The session data file is left on the server and the session cookie is left on the client. If you look at the manual for that function, the first example given does a lot more than call session_destroy(). Here is the code from the example: <?php // Initialize the session. // If you are using session_name("something"), don't forget it now! session_start(); // Unset all of the session variables. $_SESSION = array(); // If it's desired to kill the session, also delete the session cookie. // Note: This will destroy the session, and not just the session data! if (ini_get("session.use_cookies")) { $params = session_get_cookie_params(); setcookie(session_name(), '', time() - 42000, $params["path"], $params["domain"], $params["secure"], $params["httponly"] ); } // Finally, destroy the session. session_destroy(); ?> It may be sufficient to clear the $_SESSION array, since that will remove all data from the session. Even if they go back to a previous page, a call to session_start() would result in an empty $_SESSION array; which should mean that there is NOT a logged in user. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.