Page 1 of 1
back button and session id
Posted: Wed Nov 15, 2006 1:18 am
by josh4ever
hi frns,
i have used sessions in my application. as the user logs out, he is redirected to login page and session id is deleted.
But the problem is that, if a user presses a back button after thi then the session id gets generated. how do i prevent this.
Please help.
Posted: Wed Nov 15, 2006 6:06 am
by rameshmrgn
Have a common function which should check for session like,
function check_session_user(){
if(!isset($_SESSION['sessuser']))
header("location: login.php");
}
call this function on the top of each page.
it wil let u to login page, if the session is destroyed
Re: sessions and back button
Posted: Wed Nov 15, 2006 8:31 am
by josh4ever
suppose a user logs, performs his work and logs out.
then another user uses the same browser w/o closing it and if he presses the back button several times, then he is gaining access to the pages that previous user visited;
what should i do???
plz ...
Posted: Wed Nov 15, 2006 9:20 am
by William
Why is the session getting re-created if the user goes back in their browser? What is at the top of your pages that re-creates the session so that they're logged in again?
Posted: Wed Nov 15, 2006 9:33 am
by kaszu
My guess is that browser uses "catche" to display the page, it's not loaded from the server. Try
Code: Select all
header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
took this from
http://uk.php.net/header
EDIT:
Sorry this doesn't work.
Posted: Wed Nov 15, 2006 9:49 am
by theFool
I think it is a combination of browser cache and php garbage collection for sessions.
the sessions are normally stored in a temporary directory but the garbage collection only cleans it randomly every now and then (default is 1% probability on every script call as far as I remember ). So when the browser sends the session id again and the garbage collection hasn't delete the session data already, the session data is restored.
So you basically have two possibilitys:
ensure that the browser can't send the session id after logout or
ensure that void session informations cannot be retrieved (which I tend to do in my project)
Posted: Thu Nov 16, 2006 2:35 am
by rameshmrgn
R u destroying the session while logout?
using session_destroy() function...
Posted: Thu Nov 16, 2006 5:10 am
by aaronhall
If I'm not mistaken, it sounds like your application is assuming the user is logged in if PHP_SESS_ID has been assigned. The session ID is automatically generated by PHP as soon as you call session_start(), whether you have authenticated the user or not. As rameshmrgn suggested, create a session variable that is only set if the user has been authenticated, such as
All of your secured pages would then check if this session variable has been set before displaying the page.
Code: Select all
if($_SESSION['loggedIn']) {
// show secured content
} else {
// user is not logged in; show login form
}
Posted: Mon Jan 08, 2007 1:55 pm
by evolozik
i was having this problem too
it didn't work with
Code: Select all
if($_SESSION['loggedIn']) {
// show secured content
} else {
// user is not logged in; show login form
}
so i used this:
Code: Select all
session_start();
session_regenerate_id();
//some code
$_SESSION['ID']=session_id();
in the login page so that it generates another session id whenever another user logs in
since the browser has not been closed, when the new user will click back he will be directed to previous pages which includes the login page and another id will be generated
since the id doesn't match the previous user's session id, the new user will not get access to it
well this worked but i dunno if it's a good way to proceed
Posted: Mon Jan 08, 2007 3:54 pm
by Burrito
direct them to a logout page then use unset() to kill your session var.
on the logout page include the javascipt history method to prevent them from going back.
Posted: Mon Jan 08, 2007 5:39 pm
by feyd
What's the point of storing the session id in the session it belongs to?
Posted: Mon Jan 08, 2007 6:18 pm
by Z3RO21
I use it sometimes as a reference to a database entry.