Page 1 of 1
Sessions
Posted: Thu Dec 12, 2002 3:43 pm
by feiticeir0
Hi! I'm developing a project for school and i need to creat some document with login.
how can i write something that, when the user logout, even when he press the back button in the browser, he cannot see the data and even do something ?
regards,
Bruno Santos
Posted: Thu Dec 12, 2002 5:16 pm
by oldtimer
So if the log out they can not hit back button? Then on the logout page put in session_destroy();
Then make sure that you have something like
Code: Select all
<?php
if (empty($_SESSION['valid_user'])) {
echo "You are not allowed to view this page or you have not logged in.";
}
else
{
// show the main page
}
?>
Posted: Thu Dec 12, 2002 5:38 pm
by caseymanus
I will do you one better , in addition to calling session_destroy(); in your log out function, you can use some creative session checking to make sure that someone cannot access a page without first logging in. Take a look at these 2 functions I wrote to keep people out of my protected pages without having a valid session.
Code: Select all
function validateSession()
{
//Call this function on every page that should be protected
$URLSession = $_REQUESTї"AUTH_ID"];
$session = session_id();
$session = substr($session, 0, 10);
$session = md5($session);
if ($URLSession != $session)
{
header("Location: /nextcat/index.php");
}
}
function makeLink($path, $title)
{
$session = session_id();
$session = substr($session, 0, 10);
$session = md5($session);
//usage example makeLink("admin/admin_main.php", "Admin");
//usage example makeLink("search.php", "<img src="images/buttons/search.png">");
//path is the directory(s) from webroot and title is the displayable text or image
printf("<a href="%s?AUTH_ID=%s">%s</a>", $path, $session, $title);
}
Now I generate all links with makeLink(), or a similar function that passes an "auth_id", which is an encrypted session_id, I check to make sure that this "auth_id" has been passed, and your session_id when encrypted produces the same "auth_id". I call validateSession(); at the top of every protected page.
This is probably overkill, but its damn secure