Page 1 of 1

Session do not get destroyed

Posted: Sun Jun 10, 2012 3:03 am
by ranura
I have these php files which are allow user to login and maintain sessions.
But session do not get destroyed when logout and can be navigated back to restricted page from clicking "back" button in the browser.
What can I do to solve this issue.

index.php

Code: Select all

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<meta http-equiv="Content-Style-Type" content="text/css" />
<title>Test Login</title>
</head>
<body>
	<form action="login.php">
		<table>
			<tr>
				<th>Username:</th>
				<td><input class="field" type="text" width="30px" onfocus="select();" name="username" /></td>
			</tr>
			<tr>
				<th>Password:</th>
				<td><input class="field" type="password" onfocus="select();" name="password" /></td>
			</tr>
			<tr>
				<th></th>
				<td><input class="btn" type="submit" value="Login" /></td>
			</tr>
		</table>
	</form>
</body>
</html>
login.php

Code: Select all

<?php
	include 'config.php';

		$username=$_GET["username"];
		$password=md5($_GET['password']);

		$sql="SELECT * FROM tbl_users WHERE username='$username' and password='$password'";
		$result=mysql_query($sql);

		$count=mysql_num_rows($result);

		if($count==1){
			session_start();
			$_SESSION['username'] = $username; 
			header("location:logged_in.php?username=$username");
		}
		else {
			header("location:login_failed.php");
		}
?>
logged_in.php

Code: Select all

<?php
$username = $_GET['username'];
session_start();
$_SESSION['username'] = $username;
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<meta http-equiv="Content-Style-Type" content="text/css" />
<title>Test Login Successful</title>
</head>
<body>
	<?php echo "Welcome, $username"; ?> 
	<p>
        <input type="button" onclick="javascript:window.location.href='logout.php'" value="logout" />
    </p>
</body>
</html>
logout.php

Code: Select all

<?php
session_start();
session_unset();
session_destroy();
setcookie('username', '', time() - 1*24*60*60);
setcookie('password', '', time() - 1*24*60*60);
header("location: index.php");
?>

Re: Session do not get destroyed

Posted: Sun Jun 10, 2012 9:08 pm
by xtiano77
You might want to take a second look at the code that checks for a valid session. For example, unless I am reading your code incorrectly, I can click on the Browser's “back” button and view the previous page “logged_in.php” because the page starts a new session "session_start( )" and there is no code enforcing the need for a session. Below are examples I use for destroying a session, checking for a valid session and regenerating a session. I use OOP; however, you should be able to follow the code that destroys/clears the session, regenerates and checks for a valid session on every page. Now, I am sure that there are far more better examples and code applications out there, especially from the senior coders in this forum alone, so if and when you find a better application, please share it with the rest of us. Hope this helps. Cheers!

Code: Select all

public function destroySession( ){
	$_SESSION = array( );
	session_destroy( );
	setcookie(
		"PHPSESSID",
		"",
		time() - 1200,
		"/",
		"http://" . $_SERVER["SERVER_NAME"]
	);
}

public function checkValidSession( ){
	try{
		session_start( );
		if(!isset($_SESSION) || empty($_SESSION)){
			throw new Exception("UnestablishedSessionException");
		}
		// The varialbes below should exists unless the "destroySession( )" clears them out.
		// If any of the variables below does not exis (have not been set), the method throws
		// an exception, which is caught in this method. So, when I run this method at the 
		// at the beginning of each page, if the session information sought is not available, the
		// user is redirected to the main login page.
		$this -> checkSessionTimer( );
		$this -> checkAuthorizedUser( );
		$this -> checkUserRemoteAddress( );
		$this -> checkUserAgentInformation( );
	}catch(Exception $e){
		header("Location: " . SERVER_NAME . "?logout");
	}
}

public function regenerateSession($new = true){
	$oldId		= session_id( );
	$oldData	= $_SESSION;
	session_regenerate_id(true);
	session_id($oldId);
	session_destroy( );
	session_write_close();
	$newId = str_shuffle(md5(uniqid(time())));
	session_id($newId);
	session_start( );
	if(is_bool($new) && $new){
		foreach($oldData as $key => $value){
				$_SESSION[$key] = $value;
		}
	}
}
Most of the code above came from the PHP Manual, so I would recommend that you take a look at it because it contains an incredible amount of information and examples of good practices. It helped me so I know it will help you. Good luck and I hope this helps.