session problem[solved]

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
evolozik
Forum Newbie
Posts: 14
Joined: Thu Jan 04, 2007 1:20 pm

session problem[solved]

Post by evolozik »

hi everyone
i am having a problem with session
suppose a user X signs in and signs out and another user Y signs in and he signs out
when they sign out, the session is destroyed
however if i continue to press back, i can have access to user X account and can use the website under his name
when a user logs in it creates the following:

Code: Select all

$_SESSION['USERNAME']=$uname;
$_SESSION['LOGGEDIN']=true;
how can i prevent this problem?
Last edited by evolozik on Mon Jan 08, 2007 1:25 pm, edited 1 time in total.
User avatar
TheMoose
Forum Contributor
Posts: 351
Joined: Tue May 23, 2006 10:42 am

Post by TheMoose »

http://www.php.net/session_regenerate_id

If you pass it a boolean TRUE argument, then it will clear all session values.
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

If the session is properly destroyed, the back button should only give them access to the browser cache, not to your website.

You could use expiration to help delete the browser cache, but ultimately it's out of your control.
evolozik
Forum Newbie
Posts: 14
Joined: Thu Jan 04, 2007 1:20 pm

Post by evolozik »

Code: Select all

unset($_SESSION['USERNAME']);
$_SESSION = array(); // to reset the array
session_destroy();
header('Location: index.php');
i used this code for logout, the $_SESSION is reset, why does it keeps its value though?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Header redirection short circuits many browsers (and sometimes PHP) into ignoring almost everything else in the headers.

session_write_close() can help. Also be aware that you need to use full URLs with header redirection. I'm not going to explain why because I've explained that enough time. :|
evolozik
Forum Newbie
Posts: 14
Joined: Thu Jan 04, 2007 1:20 pm

Post by evolozik »

thx everyone for your help, was able to solve it :D
Post Reply