can expired Session be restored?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
eskio
Forum Commoner
Posts: 66
Joined: Tue Apr 01, 2008 1:00 am

can expired Session be restored?

Post by eskio »

Hi,
I have the following code to logout.

Code: Select all

if (isset($_POST["logout"])) {  // logout button is clicked
    // destroy session session
    unset($_SESSION['id']);
    unset($_SESSION['name']);
    session_destroy();
    
    // destroy cookies
    $sessionPath = session_get_cookie_params(); 
    setcookie(session_name(), "", 0, $sessionPath["path"], $sessionPath["domain"]); 
    header('Location: http://localhost/myfolder/login.php');
} // if (isset($_POST["logout"]))
It is working correctly BUT when I click the "Go Back" button (one or many times) on the browser, I have the following message:
"the page you are trying to view contains POSTDATA taht has expired from cache. If you resend the data, any action the form carried out will be repeated. To resend the data, click OK. Otherwise, click Cancel. "
and when I click OK, it displays the home page which should be displayed after the login page. That means the browser restores an expired session.

Please help me.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Re: can expired Session be restored?

Post by s.dot »

Is any code being ran after your header() call? Put exit; after it.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
EverLearning
Forum Contributor
Posts: 282
Joined: Sat Feb 23, 2008 3:49 am
Location: Niš, Serbia

Re: can expired Session be restored?

Post by EverLearning »

eskio wrote:"the page you are trying to view contains POSTDATA taht has expired from cache. If you resend the data, any action the form carried out will be repeated. To resend the data, click OK. Otherwise, click Cancel. "
I'm guesing that the form this message was talking about was the login form, and since you clicked OK, it logged you in again. To avoid that, after logon redirect user to a page

Code: Select all

header("Location: $homeUrl"); // page you show after logon
exit();
That way, when you logout, and go back in the browser, you won't be loged in again.
eskio
Forum Commoner
Posts: 66
Joined: Tue Apr 01, 2008 1:00 am

Re: can expired Session be restored?

Post by eskio »

EverLearning wrote:
eskio wrote:"the page you are trying to view contains POSTDATA taht has expired from cache. If you resend the data, any action the form carried out will be repeated. To resend the data, click OK. Otherwise, click Cancel. "
I'm guesing that the form this message was talking about was the login form, and since you clicked OK, it logged you in again. To avoid that, after logon redirect user to a page

Code: Select all

header("Location: $homeUrl"); // page you show after logon
exit();
That way, when you logout, and go back in the browser, you won't be loged in again.

Thanks.
anto91
Forum Commoner
Posts: 58
Joined: Mon Mar 10, 2008 10:59 am
Location: Sweden

Re: can expired Session be restored?

Post by anto91 »

Btw i dont belive localhost works when your project is on a extern server and not your devel pc

Edit: refering to your header('location: http://localhost*');
Post Reply