I've used a fairly old tutorial to implement a secure PHP login...
http://www.mtdev.com/2002/07/creating-a ... gin-script
My question is this...
How does session_defaults() log the user out if they clicked "Remember Me"?
Doesn't the cookie have to be destroyed or changed in addition to session_defaults()?
Secure Login
Moderator: General Moderators
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Re: Secure Login
The cookie is maintained, however, it's values are changed to represent them as logged out (which leaves the logic up to the application, versus the absense of the cookie itself).
Re: Secure Login
The logout function simply makes a call to session_defaults(), which updates the $_SESSION array, but it doesn't do anything to the cookie. So, as far as I can tell,
After logging out, the user's session varaible 'logged' is set to false, but isset($_COOKIE['mtwebLogin']) is true so then the user is logged in automatically and the session is reconstructed from the Cookie. Hence, the user can never log out.
This is how the code seems to bahave on my server, and so I'm trying to figure out what is happening.
Code: Select all
function User(&$db) {
$this->db = $db;
$this->date = $GLOBALS['date'];
if ($_SESSION['logged']) {
$this->_checkSession();
} elseif ( isset($_COOKIE['mtwebLogin']) ) {
$this->_checkRemembered($_COOKIE['mtwebLogin']);
}
}This is how the code seems to bahave on my server, and so I'm trying to figure out what is happening.