Jump to content

Logining out - session_destroy

seveninstl

By seveninstl
in PHP Coding Help

 Share

Recommended Posts

seveninstl Newbie

seveninstl

Posted
Posted

I have coded an 'admin system' that uses sessions.  When the user logs out, I don't want them to be able to use the browser's back button to get back into the system.  I use the following code for this.

 

<?php
session_start();

$_SESSION = array();

if (ini_get("session.use_cookies")) 
{
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000, $params["path"], $params["domain"], $params["secure"], $params["httponly"]);
}

session_destroy();
?>

 

This works great to make sure someone else can't just walk up to the computer, hit the back button and get into the admin system.  The problem is, now no one can login legitimately through the login page either!  It seems to disable either sessions or cookies or both.

 

Any ideas????

Link to comment
Share on other sites
voip03 Member

voip03

Posted
Posted

I think you are confused with session and cookies.

Cookies

Hypertext Transfer Protocol (HTTP) cookies are bits of data that are sent back and forth between a client (usually a browser) and a server

http://www.w3schools.com/php/php_cookies.asp

 

Session

A PHP session variable is used to store information about, or change settings for a user session

http://www.w3schools.com/php/php_sessions.asp

 

Link to comment
Share on other sites
seveninstl Newbie

seveninstl

Posted
  • Author
Posted

After logging in try to check your cookies in your browser and see if the cookie you are trying to set actually got set.

 

Also, are these two different files, one file for logging in and one for logging out?

 

creata.physics - thanks for the comment.  You helped me realize my mistake - no, they were not different files.  I was destroying the session and the cookie and then displaying html to allow the user to log back into the admin system in the same file.

 

I changed the logout file to destroy the session and cookie, then redirect to a file that allows the user to log back in - this works great!

 

Thanks again for the simple, but eye-opening comment  :D

Link to comment
Share on other sites
seveninstl Newbie

seveninstl

Posted
  • Author
Posted

Actually, it still didn't do exactly what I wanted it to.  It did log the user out, then stopped the user from clicking the back button to get back in.  And it did allow for new logins.  But, I noticed that if the user hit the back button twice or used the back drop-down, they could still get in.  So, this is what I did with the logout code... and it works.

 

<?php

session_start();
$_SESSION = array();
unset($PHPSESSID);
session_regenerate_id();
        session_destroy();

print "	<html>
		<head>
			<meta HTTP-EQUIV=\"REFRESH\" content=\"3; url=accessDenied.html\">
		</head>
		<body>
			<br />
			You are being logged out of the system...
		</body>
		</html>";
?>

 

In the admin system, my code checks the session id to verify the user.  So, I forcing a change in the session id with 'session_regenerate_id().'  If the back button is clicked (or the back drop-down used), the id's don't match.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.