Page 1 of 1

session problem[solved]

Posted: Mon Jan 08, 2007 10:00 am
by evolozik
hi everyone
i am having a problem with session
suppose a user X signs in and signs out and another user Y signs in and he signs out
when they sign out, the session is destroyed
however if i continue to press back, i can have access to user X account and can use the website under his name
when a user logs in it creates the following:

Code: Select all

$_SESSION['USERNAME']=$uname;
$_SESSION['LOGGEDIN']=true;
how can i prevent this problem?

Posted: Mon Jan 08, 2007 10:05 am
by TheMoose
http://www.php.net/session_regenerate_id

If you pass it a boolean TRUE argument, then it will clear all session values.

Posted: Mon Jan 08, 2007 10:06 am
by Kieran Huggins
If the session is properly destroyed, the back button should only give them access to the browser cache, not to your website.

You could use expiration to help delete the browser cache, but ultimately it's out of your control.

Posted: Mon Jan 08, 2007 10:14 am
by evolozik

Code: Select all

unset($_SESSION['USERNAME']);
$_SESSION = array(); // to reset the array
session_destroy();
header('Location: index.php');
i used this code for logout, the $_SESSION is reset, why does it keeps its value though?

Posted: Mon Jan 08, 2007 11:08 am
by feyd
Header redirection short circuits many browsers (and sometimes PHP) into ignoring almost everything else in the headers.

session_write_close() can help. Also be aware that you need to use full URLs with header redirection. I'm not going to explain why because I've explained that enough time. :|

Posted: Mon Jan 08, 2007 1:13 pm
by evolozik
thx everyone for your help, was able to solve it :D