login issue

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
furqankhan
Forum Newbie
Posts: 1
Joined: Sat Dec 26, 2009 2:38 am

login issue

Post by furqankhan »

hi all ,

i am new to php. i am developing admin site where users may log in by loginid and password. i am managing this by session but when the user log out from admin site if the browser back button is pressed. it again goes to the admin page. how ever if i close the browser and try again it works fine
jhack
Forum Newbie
Posts: 10
Joined: Wed Mar 11, 2009 9:46 pm

Re: login issue

Post by jhack »

I think you are not destroying the session correctly

Code: Select all

 
session_destroy();
 
And also you should check is the session variable is set at the top of each page which requires login.

Code: Select all

 
session_start(); // start the session
if( !isset($_SESSION['user']))  // check the session variable is set
  // redirect to the login page
 
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: login issue

Post by kaisellgren »

The web browser probably cached the admin page. So, when you pressed the back button, it did not even request your page, it fetched it from the RAM.
anilnakkani
Forum Newbie
Posts: 5
Joined: Wed Jul 21, 2010 2:16 am
Location: Hyderabad

Re: login issue

Post by anilnakkani »

Hi,

After Logout.You need to check whether user session expired or not. if not expired need to move to that file to index,otherwise browser back button problem will come...

Thanks
Anil.N
Thought Radius - Experts for Partners
Bind
Forum Contributor
Posts: 102
Joined: Wed Feb 03, 2010 1:22 am

Re: login issue

Post by Bind »

Additionally, when setting cookies on a page that redirects (like after a login/logout), the cookie must be set after the header()'s, else the cookie change may not stick.

example:

Code: Select all

<?php 
header('Location: http://www.example.com/'); 
setcookie ("TestCookie", "", time() - 3600, "/", "example.com", 1);
?>
vishal5085
Forum Newbie
Posts: 3
Joined: Thu Aug 05, 2010 11:58 pm

Re: login issue

Post by vishal5085 »

The seesion is not destroyed.
so use this code
if(isset($submit))
{
session_destroy();
}

session_destroy() fonction will destroy ur session.
it worked for my website. so i think for ur website also it worked.
Post Reply