Page 1 of 1

IE - Hard refresh needed to accept change in login status

Posted: Mon Nov 20, 2006 10:38 am
by jolinar
Here is the problem. User authentication is misbehaving on IE. When logging in on a site I'm working on, logging in works fine on IE and Firefox, but logging out is where the browsers start acting a little oddly.

Firefox logs out fine, all pages show that I'm not logged in (e.g. going back to the admin.php page)
IE - I log out, but when going back in to admin.php, it reports that I'm logged in. The user is only shown as being logged out when a hard refresh is carried out.

This problem is driving me nuts!

The code for the logout page:

Code: Select all

<?php
	//global $current_module_name;
	global $current_url;
	//$current_url = $_SERVER['PHP_SELF']."?name=$current_module_name";

	//$address = $_SERVER['PHP_SELF'];
	if(isset($_GET['ac'])) {
		$ac = $_GET['ac'];
		scan($ac);
		
		if(loggedIn()) {
			if($ac=='logout') {
			 	if(activeAdmin()) {
					unset($_SESSION['admin']);
				}
				session_unset();
				header("Location:index.php");
			}
		}
	}
	if(loggedIn()) {
	 	$user_name = $_SESSION['user_name'];
		print "<p>Logged In As: $user_name</p>\n";
		print "<p><a href=\"$current_url&ac=logout\">Logout Here</a></p>\n";
	}
	else {
	 	print "<p>Not Logged In</p>\n";
		print <<<EOF
		<p>
		<form action="$address" method="post">
		  <label>User Name:
		    <input type="text" name="username" size="15" /></label><br/>
		  <label>Password:
		    <input type="password" name="password" size="15" /></label><br/>
		  <input type="submit" value="Log In" />
		</form>
		</p>
EOF;
	}

?>
And the function check if the user is logged in

Code: Select all

function loggedIn() {
 	if($_SESSION['logged_in']==true) {
		return true;
	}
}

Posted: Mon Nov 20, 2006 11:18 am
by RobertGonzalez
Try messing with the cache-control settings in a header() function.

Posted: Mon Nov 20, 2006 1:33 pm
by Mordred
Why session_unset()? Shouldn't it be session_destroy()? The manual on session_destroy() has more pointers at logging out (i.e. deleting the SID cookie if one was used)

Posted: Mon Nov 20, 2006 2:56 pm
by geodet
session_destroy() erases all sessions, not just specified,
so if he has more sessions, they'll all be lost.

Posted: Mon Nov 20, 2006 3:53 pm
by jolinar
According to the documentation on php.net
session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie.
It's strange that the problem seems to be with IE. I've been wracking my brains and I can't figure it out

Posted: Mon Nov 20, 2006 3:56 pm
by RobertGonzalez
What about character encoding? I remember reading here recently that someone had an usual problem that seemed to stem from the character encoding put into the page.

Posted: Tue Nov 21, 2006 3:11 am
by Mordred
Hmm, do you have session autostarting, or did you miss the session_start() call?
Also, tried unsetting the cookie as well, as per the session_destroy() manual.

Posted: Tue Nov 21, 2006 7:44 am
by jolinar
Sessions are started by a session_start() call at the beginning of the program. I've checked it and there is no way it can be missing the call.

Posted: Tue Nov 21, 2006 9:08 am
by jolinar
Problem solved. It was this little piece of code:

Code: Select all

session_cache_limiter('private');
$cache_limiter = session_cache_limiter();
I tried commenting it out and it works fine. Of course I'm kinda worried about the security. I guess it's time for me to head over to the security section of the forum.