Sessions

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
feiticeir0
Forum Newbie
Posts: 8
Joined: Tue Nov 05, 2002 1:33 pm
Location: Castelo Branco, Portugal

Sessions

Post by feiticeir0 »

Hi! I'm developing a project for school and i need to creat some document with login.

how can i write something that, when the user logout, even when he press the back button in the browser, he cannot see the data and even do something ?

regards,

Bruno Santos
oldtimer
Forum Contributor
Posts: 204
Joined: Sun Nov 03, 2002 8:21 pm
Location: Washington State

Post by oldtimer »

So if the log out they can not hit back button? Then on the logout page put in session_destroy();


Then make sure that you have something like

Code: Select all

<?php
if (empty($_SESSION['valid_user'])) { 
echo "You are not allowed to view this page or you have not logged in.";
}
else
{
// show the main page
}

?>
User avatar
caseymanus
Forum Commoner
Posts: 34
Joined: Wed Nov 20, 2002 10:32 pm
Contact:

Post by caseymanus »

I will do you one better , in addition to calling session_destroy(); in your log out function, you can use some creative session checking to make sure that someone cannot access a page without first logging in. Take a look at these 2 functions I wrote to keep people out of my protected pages without having a valid session.

Code: Select all

function validateSession()
	&#123;

		//Call this function on every page that should be protected
		$URLSession = $_REQUEST&#1111;"AUTH_ID"];
		$session = session_id();
		$session = substr($session, 0, 10);
		$session = md5($session);
		if ($URLSession != $session)
			&#123;
				header("Location: /nextcat/index.php");
			&#125;
	&#125;
function makeLink($path, $title)
	&#123;
		$session = session_id();
		$session = substr($session, 0, 10);
		$session = md5($session);
		//usage example makeLink("admin/admin_main.php", "Admin");
		//usage example makeLink("search.php", "<img src="images/buttons/search.png">");
	   	//path is the directory(s) from webroot and title is the displayable text or image
	   	printf("<a href="%s?AUTH_ID=%s">%s</a>", $path, $session, $title);
   	&#125;
Now I generate all links with makeLink(), or a similar function that passes an "auth_id", which is an encrypted session_id, I check to make sure that this "auth_id" has been passed, and your session_id when encrypted produces the same "auth_id". I call validateSession(); at the top of every protected page.

This is probably overkill, but its damn secure
Post Reply