seveninstl Posted September 18, 2011 Share Posted September 18, 2011 I have coded an 'admin system' that uses sessions. When the user logs out, I don't want them to be able to use the browser's back button to get back into the system. I use the following code for this. <?php session_start(); $_SESSION = array(); if (ini_get("session.use_cookies")) { $params = session_get_cookie_params(); setcookie(session_name(), '', time() - 42000, $params["path"], $params["domain"], $params["secure"], $params["httponly"]); } session_destroy(); ?> This works great to make sure someone else can't just walk up to the computer, hit the back button and get into the admin system. The problem is, now no one can login legitimately through the login page either! It seems to disable either sessions or cookies or both. Any ideas???? Quote Link to comment Share on other sites More sharing options...
creata.physics Posted September 18, 2011 Share Posted September 18, 2011 After logging in try to check your cookies in your browser and see if the cookie you are trying to set actually got set. Also, are these two different files, one file for logging in and one for logging out? Quote Link to comment Share on other sites More sharing options...
voip03 Posted September 18, 2011 Share Posted September 18, 2011 I think you are confused with session and cookies. Cookies Hypertext Transfer Protocol (HTTP) cookies are bits of data that are sent back and forth between a client (usually a browser) and a server http://www.w3schools.com/php/php_cookies.asp Session A PHP session variable is used to store information about, or change settings for a user session http://www.w3schools.com/php/php_sessions.asp Quote Link to comment Share on other sites More sharing options...
seveninstl Posted September 18, 2011 Author Share Posted September 18, 2011 After logging in try to check your cookies in your browser and see if the cookie you are trying to set actually got set. Also, are these two different files, one file for logging in and one for logging out? creata.physics - thanks for the comment. You helped me realize my mistake - no, they were not different files. I was destroying the session and the cookie and then displaying html to allow the user to log back into the admin system in the same file. I changed the logout file to destroy the session and cookie, then redirect to a file that allows the user to log back in - this works great! Thanks again for the simple, but eye-opening comment Quote Link to comment Share on other sites More sharing options...
creata.physics Posted September 18, 2011 Share Posted September 18, 2011 Glad I was able to help, if you are not experiencing this issue anymore please mark this topic as solved. Quote Link to comment Share on other sites More sharing options...
seveninstl Posted September 18, 2011 Author Share Posted September 18, 2011 Actually, it still didn't do exactly what I wanted it to. It did log the user out, then stopped the user from clicking the back button to get back in. And it did allow for new logins. But, I noticed that if the user hit the back button twice or used the back drop-down, they could still get in. So, this is what I did with the logout code... and it works. <?php session_start(); $_SESSION = array(); unset($PHPSESSID); session_regenerate_id(); session_destroy(); print " <html> <head> <meta HTTP-EQUIV=\"REFRESH\" content=\"3; url=accessDenied.html\"> </head> <body> <br /> You are being logged out of the system... </body> </html>"; ?> In the admin system, my code checks the session id to verify the user. So, I forcing a change in the session id with 'session_regenerate_id().' If the back button is clicked (or the back drop-down used), the id's don't match. Quote Link to comment Share on other sites More sharing options...
creata.physics Posted September 18, 2011 Share Posted September 18, 2011 You said when you click the back button twice the user is still logged in, well, it may say you're logged in, but you may actually not be. After hitting the back button twice to see if you're logged in, and you are, once you refresh the page, are you still logged in? If not, then there is no issue. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.