logout sessions

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
DGW
Forum Newbie
Posts: 5
Joined: Mon Jul 21, 2003 2:06 pm

logout sessions

Post by DGW »

Hi,

I have developed a basic membership system, using sessions.

I want to make it so that after the user logs out, if s/he presses the back button, it does NOT take him/her back to the previous page (i.e. a page that requires a user to be logged in to view).

Rather, I want it to be redirected to the login page again, with some sort of "Your login session has expired" error.

I've seen a lot of membership systems (emails, forums, etc.) that have this, but I am lost at how to do this myself...

Does anyone have any idea?
THANKS in advance!!!
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Well it will partially depend on the user's browsers. Most browsers follow the spec's suggestions that back/forward buttons load the cached version of the page, even if no-cache were specified. For those browsers that resubmit on back/forward just make sure that part of your standard header/includes tests for a valid session and in the invalid case redirects.
DGW
Forum Newbie
Posts: 5
Joined: Mon Jul 21, 2003 2:06 pm

Post by DGW »

Hmm...I sort of understand what you are talking about but I'm not sure how to do it though.

I know hotmail, after you log out, if you press the back button, it'll tell you to log in again or something like that.
rob.weaver
Forum Newbie
Posts: 8
Joined: Tue Apr 22, 2003 11:18 am
Location: Houston, TX USA

a possible solution

Post by rob.weaver »

ok.. from what I am understanding ...

You want each page to be validated and if the person logs off, they get a message that their session has expired and they are then re-directed to the login screen. Is this right?

If so,

I would suggest creating a verify script to include on every page that you want authenticated. Within this verify script, you should put the forwarding script and link if it doesn't forward them..

so you would have

(example of hotmail)
verify script
header
user email
footer

Here is an example verify script...with redirection built in... make sense?

<?Session_start();

if (!isset($_SESSION['sesid'])){
echo "<HTML><HEAD>";
?>
<HEAD><TITLE>Logged Out</TITLE>
<LINK REL=STYLESHEET HREF="../../utility/main.css" TYPE="text/css">
<META HTTP-EQUIV="Refresh" CONTENT="10;URL=login.php">
<SCRIPT LANGUAGE="JavaScript"><!--
function redirect () { setTimeout("go_now()",10000); }
function go_now () { window.location.href = "login.php"; }
//--></SCRIPT>
</HEAD>
<BODY onLoad="redirect()">
<?PHP
echo "<h2>You Are Logged Out</h2> - or - <h2>Your Login Has Expired</h2>";
echo "<br>Session Not Set<br>";
echo "If you are not re-directed to the login page within 5 seconds, ";
echo "please click <a href=\"login.php\">here</a> to log in again.";
echo "</BODY></HTML>";
exit;

}elseif ($_SESSION['sesid'] <> Session_ID() or !isset($_GET['SID']) or $_GET['SID'] <> Session_ID() or $_SESSION['login'] <> "success"){
echo "<HTML><HEAD>";
?>
<HEAD><TITLE>Logged Out</TITLE>
<LINK REL=STYLESHEET HREF="../../utility/main.css" TYPE="text/css">
<META HTTP-EQUIV="Refresh" CONTENT="10;URL=login.php">
<SCRIPT LANGUAGE="JavaScript"><!--
function redirect () { setTimeout("go_now()",10000); }
function go_now () { window.location.href = "login.php"; }
//--></SCRIPT>
</HEAD>
<BODY onLoad="redirect()">
<?PHP
echo "<h2>You Are Logged Out</h2> - or - <h2>Your Login Has Expired</h2>";
echo "If you are not re-directed to the login page within 5 seconds, ";
echo "Please click <a href=\"login.php\">here</a> to log in again.";
echo "</BODY></HTML>";
exit;
}else{
//place holder file
}?>
User avatar
redhair
Forum Contributor
Posts: 300
Joined: Fri May 30, 2003 4:36 pm
Location: 53.23N-6.57E
Contact:

Post by redhair »

please.. use the php highlighting function when posting php code :!:
flor ^^
Forum Newbie
Posts: 1
Joined: Thu Jul 31, 2003 10:20 am

Post by flor ^^ »

hi all,

thanks to my friend DGW for asking my question.

anyhow, thanks to rob.weaver for typing out all that code. i've read it but i thiink its not quite what i'm looking for. you see, the problem here is that once the php script is run for the first time, an html page is generated and sent to the client. this html page is cached.

so if a user presses the back button to go to that page, the page is nOt a new page generated by the script, rather, it is just the previous html that was cached. the critical point then, is that there is nO access to check whether the session still exists~

i've been looking up headers, cache-control, and expires, but it doesn't seem to work!! did i do anything wrong??? i'm using IE6

(a lot of the below is straight from the php.net documentation for headers() function)

firstpage.php:

Code: Select all

<?php
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");
header("Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0", false);
header("Pragma: no-cache");

echo "Hello<br>";
echo "<a href='anotherpage.html'>link</a>";
?>
by "doesn't seem to work" i mean, i open firstpage.php, then i click on the <a> tag 'link', then i press back button, what i WANT to happen is i get some sort of http error; what DOES happen is, i get back to the html generated by firstpage.php the first time :(
?>
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Yes, as I said. That is the "correct" (as defined by the http spec) behavoir, to the best of my knoweldge. Some old browsers (notably Netscape 4.x) resubmitted forw/back buttons in violation of the spec so some people grew to expect it. Because the spec specifiied the bahvoir as something that overrides headers/cache control it's hard to avoid.

However I developed a "back button detector" that seems work pretty well on most browsers. Why it works, I'm not sure... it shouldn't... here'es the code: (OLD code, designed for php 4.0.4pl?, uses the old $HTTP_VARS)

Code: Select all

function localRedirect($url)
{
    GLOBAL $HTTP_COOKIE_VARS;
    if (isset($HTTP_COOKIE_VARS["PHPSESSID"]))
	header($url);
    else
	header($url . "?" .SID);
}

function restrictNavigation($referers)
{
    GLOBAL $HTTP_REFERER, $HTTP_SESSION_VARS, $HTTP_POST_VARS;
    GLOBAL $baseURL;
    $url = $HTTP_REFERER;

    $protocol = strpos($url,'://');
    if ($protocol)
    {	
	$url = substr($url,$protocol+3,strlen($url));
	$url = "http://".$url;
    }
    $hash = strpos($url,'#');
    if ($hash)
	$url = substr($url,0,$hash);
    $ques = strpos($url,'?');
    if ($ques)
	$url = substr($url,0,$ques);
    reset($referers);
    while ($aLegalPage = each($referers))
    {

	$page = $aLegalPage["value"]["PAGE"];
	$requiredVars = $aLegalPage["value"]["VARS"];
	if ($page==$url)
	{
	    $numVars = count($requiredVars);
	    for ($i=0;$i<$numVars;$i++)
	    {
		$varName = $requiredVars[$i];
		$tempPost = $HTTP_POST_VARS["$varName"];
		$tempSess = $HTTP_SESSION_VARS["$varName"];
		if ($tempPost=="" && $tempSess=="")
		{
		    localRedirect("Location: $baseURL/back.php");
		    exit;
		}
	    }
	    return true;
	}
    }
    localRedirect("Location: $baseURL/back.php");
    exit;
}
It is called like

Code: Select all

restrictNavigation(array(array("PAGE"=>"$baseURL/index.php",
                                             "VARS"=>array()),
                                       array("PAGE"=>"$baseURL/otherPage.php",
                                                 "VARS"=>array("foo")));
with the meaning that old page transitions from index.php or otherpage (and only if foo is given a value) will be allowed. Back navigation tend to also not set HTTP_REFERER so it is automatically blocked.

Note most user's absolutely HATE this.
Post Reply