Hi! I'm developing a project for school and i need to creat some document with login.
how can i write something that, when the user logout, even when he press the back button in the browser, he cannot see the data and even do something ?
regards,
Bruno Santos
Sessions
Moderator: General Moderators
- feiticeir0
- Forum Newbie
- Posts: 8
- Joined: Tue Nov 05, 2002 1:33 pm
- Location: Castelo Branco, Portugal
So if the log out they can not hit back button? Then on the logout page put in session_destroy();
Then make sure that you have something like
Then make sure that you have something like
Code: Select all
<?php
if (empty($_SESSION['valid_user'])) {
echo "You are not allowed to view this page or you have not logged in.";
}
else
{
// show the main page
}
?>- caseymanus
- Forum Commoner
- Posts: 34
- Joined: Wed Nov 20, 2002 10:32 pm
- Contact:
I will do you one better , in addition to calling session_destroy(); in your log out function, you can use some creative session checking to make sure that someone cannot access a page without first logging in. Take a look at these 2 functions I wrote to keep people out of my protected pages without having a valid session.
Now I generate all links with makeLink(), or a similar function that passes an "auth_id", which is an encrypted session_id, I check to make sure that this "auth_id" has been passed, and your session_id when encrypted produces the same "auth_id". I call validateSession(); at the top of every protected page.
This is probably overkill, but its damn secure
Code: Select all
function validateSession()
{
//Call this function on every page that should be protected
$URLSession = $_REQUESTї"AUTH_ID"];
$session = session_id();
$session = substr($session, 0, 10);
$session = md5($session);
if ($URLSession != $session)
{
header("Location: /nextcat/index.php");
}
}
function makeLink($path, $title)
{
$session = session_id();
$session = substr($session, 0, 10);
$session = md5($session);
//usage example makeLink("admin/admin_main.php", "Admin");
//usage example makeLink("search.php", "<img src="images/buttons/search.png">");
//path is the directory(s) from webroot and title is the displayable text or image
printf("<a href="%s?AUTH_ID=%s">%s</a>", $path, $session, $title);
}This is probably overkill, but its damn secure