Page 1 of 1
logout sessions
Posted: Wed Jul 30, 2003 12:26 pm
by DGW
Hi,
I have developed a basic membership system, using sessions.
I want to make it so that after the user logs out, if s/he presses the back button, it does NOT take him/her back to the previous page (i.e. a page that requires a user to be logged in to view).
Rather, I want it to be redirected to the login page again, with some sort of "Your login session has expired" error.
I've seen a lot of membership systems (emails, forums, etc.) that have this, but I am lost at how to do this myself...
Does anyone have any idea?
THANKS in advance!!!
Posted: Wed Jul 30, 2003 12:38 pm
by nielsene
Well it will partially depend on the user's browsers. Most browsers follow the spec's suggestions that back/forward buttons load the cached version of the page, even if no-cache were specified. For those browsers that resubmit on back/forward just make sure that part of your standard header/includes tests for a valid session and in the invalid case redirects.
Posted: Wed Jul 30, 2003 12:57 pm
by DGW
Hmm...I sort of understand what you are talking about but I'm not sure how to do it though.
I know hotmail, after you log out, if you press the back button, it'll tell you to log in again or something like that.
a possible solution
Posted: Wed Jul 30, 2003 2:27 pm
by rob.weaver
ok.. from what I am understanding ...
You want each page to be validated and if the person logs off, they get a message that their session has expired and they are then re-directed to the login screen. Is this right?
If so,
I would suggest creating a verify script to include on every page that you want authenticated. Within this verify script, you should put the forwarding script and link if it doesn't forward them..
so you would have
(example of hotmail)
verify script
header
user email
footer
Here is an example verify script...with redirection built in... make sense?
<?Session_start();
if (!isset($_SESSION['sesid'])){
echo "<HTML><HEAD>";
?>
<HEAD><TITLE>Logged Out</TITLE>
<LINK REL=STYLESHEET HREF="../../utility/main.css" TYPE="text/css">
<META HTTP-EQUIV="Refresh" CONTENT="10;URL=login.php">
<SCRIPT LANGUAGE="JavaScript"><!--
function redirect () { setTimeout("go_now()",10000); }
function go_now () { window.location.href = "login.php"; }
//--></SCRIPT>
</HEAD>
<BODY onLoad="redirect()">
<?PHP
echo "<h2>You Are Logged Out</h2> - or - <h2>Your Login Has Expired</h2>";
echo "<br>Session Not Set<br>";
echo "If you are not re-directed to the login page within 5 seconds, ";
echo "please click <a href=\"login.php\">here</a> to log in again.";
echo "</BODY></HTML>";
exit;
}elseif ($_SESSION['sesid'] <> Session_ID() or !isset($_GET['SID']) or $_GET['SID'] <> Session_ID() or $_SESSION['login'] <> "success"){
echo "<HTML><HEAD>";
?>
<HEAD><TITLE>Logged Out</TITLE>
<LINK REL=STYLESHEET HREF="../../utility/main.css" TYPE="text/css">
<META HTTP-EQUIV="Refresh" CONTENT="10;URL=login.php">
<SCRIPT LANGUAGE="JavaScript"><!--
function redirect () { setTimeout("go_now()",10000); }
function go_now () { window.location.href = "login.php"; }
//--></SCRIPT>
</HEAD>
<BODY onLoad="redirect()">
<?PHP
echo "<h2>You Are Logged Out</h2> - or - <h2>Your Login Has Expired</h2>";
echo "If you are not re-directed to the login page within 5 seconds, ";
echo "Please click <a href=\"login.php\">here</a> to log in again.";
echo "</BODY></HTML>";
exit;
}else{
//place holder file
}?>
Posted: Wed Jul 30, 2003 3:16 pm
by redhair
please.. use the php highlighting function when posting php code

Posted: Thu Jul 31, 2003 10:20 am
by flor ^^
hi all,
thanks to my friend DGW for asking my question.
anyhow, thanks to rob.weaver for typing out all that code. i've read it but i thiink its not quite what i'm looking for. you see, the problem here is that once the php script is run for the first time, an html page is generated and sent to the client. this html page is cached.
so if a user presses the back button to go to that page, the page is nOt a new page generated by the script, rather, it is just the previous html that was cached. the critical point then, is that there is nO access to check whether the session still exists~
i've been looking up headers, cache-control, and expires, but it doesn't seem to work!! did i do anything wrong??? i'm using IE6
(a lot of the below is straight from the php.net documentation for headers() function)
firstpage.php:
Code: Select all
<?php
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");
header("Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0", false);
header("Pragma: no-cache");
echo "Hello<br>";
echo "<a href='anotherpage.html'>link</a>";
?>
by "doesn't seem to work" i mean, i open firstpage.php, then i click on the <a> tag 'link', then i press back button, what i WANT to happen is i get some sort of http error; what DOES happen is, i get back to the html generated by firstpage.php the first time
?>
Posted: Thu Jul 31, 2003 10:39 am
by nielsene
Yes, as I said. That is the "correct" (as defined by the http spec) behavoir, to the best of my knoweldge. Some old browsers (notably Netscape 4.x) resubmitted forw/back buttons in violation of the spec so some people grew to expect it. Because the spec specifiied the bahvoir as something that overrides headers/cache control it's hard to avoid.
However I developed a "back button detector" that seems work pretty well on most browsers. Why it works, I'm not sure... it shouldn't... here'es the code: (OLD code, designed for php 4.0.4pl?, uses the old $HTTP_VARS)
Code: Select all
function localRedirect($url)
{
GLOBAL $HTTP_COOKIE_VARS;
if (isset($HTTP_COOKIE_VARS["PHPSESSID"]))
header($url);
else
header($url . "?" .SID);
}
function restrictNavigation($referers)
{
GLOBAL $HTTP_REFERER, $HTTP_SESSION_VARS, $HTTP_POST_VARS;
GLOBAL $baseURL;
$url = $HTTP_REFERER;
$protocol = strpos($url,'://');
if ($protocol)
{
$url = substr($url,$protocol+3,strlen($url));
$url = "http://".$url;
}
$hash = strpos($url,'#');
if ($hash)
$url = substr($url,0,$hash);
$ques = strpos($url,'?');
if ($ques)
$url = substr($url,0,$ques);
reset($referers);
while ($aLegalPage = each($referers))
{
$page = $aLegalPage["value"]["PAGE"];
$requiredVars = $aLegalPage["value"]["VARS"];
if ($page==$url)
{
$numVars = count($requiredVars);
for ($i=0;$i<$numVars;$i++)
{
$varName = $requiredVars[$i];
$tempPost = $HTTP_POST_VARS["$varName"];
$tempSess = $HTTP_SESSION_VARS["$varName"];
if ($tempPost=="" && $tempSess=="")
{
localRedirect("Location: $baseURL/back.php");
exit;
}
}
return true;
}
}
localRedirect("Location: $baseURL/back.php");
exit;
}
It is called like
Code: Select all
restrictNavigation(array(array("PAGE"=>"$baseURL/index.php",
"VARS"=>array()),
array("PAGE"=>"$baseURL/otherPage.php",
"VARS"=>array("foo")));
with the meaning that old page transitions from index.php or otherpage (and only if foo is given a value) will be allowed. Back navigation tend to also not set HTTP_REFERER so it is automatically blocked.
Note most user's absolutely HATE this.