Can't end session with logout button

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Jeff
    #1

    Can't end session with logout button

    I've searched the web for hours trying to figure out this problem and
    can't seem to find any pertinent answers. I have a website where the
    user starts on a login page, puts in their credentials and hits a
    submit button, which then takes the user to a 2nd PHP page which simply
    runs PHP code that checks the user's credentials from my database, and
    if authenticated creates a session, assigns a few session variables
    (including a session variable showing that the user has been
    authenticated) and then forwards them to a third page that pulls up an
    inventory based on their membership in a group.

    All subsequent pages (including this inventory page) check for the
    "$_SESSION['auth']" variable to make sure the person has been
    authenticated before they can access any other pages. This all works
    fine. Here is the problem...

    At the bottom of the third page which lists the inventory data I have a
    "LogOut" button. When the user clicks the button they are taken back to
    the original login page and their session killed. The problem is that
    the user can hit the "Back" button on the browser and it STILL let's
    them get BACK into the inventory page, even though the session has been
    killed along with the "$_SESSION['auth']" variable. I don't want them
    to be able to do this.

    I know the code that protects each page after login is working because
    if I close the browser and try to directly access the inventory page
    (without logging in first) it won't let me in because I don't have the
    "$_SESSION['auth']" set. So why does hitting the "Back" button allow me
    to get into the page?

    Below is the beginning code on the login page which kills the session
    (if a session already exists). Hitting the "LogOut" button on the 3rd
    page (inventory page) simply redirects the user back to the login page
    which runs this code. I tried killing the session from the 3rd page
    but didn't have any luck there either. By the way, if I put in a line
    of code after the code below to test for the existance of a session it
    says there is no active session...So why they can hit "Back" and still
    access the inventory page DESPITE that no session variables exists is
    beyond me...

    <?php
    session_start() ;

    $_SESSION = array();
    session_destroy ();

    ?>

    Any help is much appreciated! I'm using PHP 5 with IIS 6. Let me know
    if any other code and/or information is needed. Thanks!

    Tags: None
    • DJ Craig
      #2
      Re: Can't end session with logout button

      They can hit the back button to get to that inventory page, but if you
      try to do anything on that page after logging out, it won't let them.
      If you really need to prevent them from being able to see that page by
      hitting the back button, insert the following meta tag in the head
      section:
      <meta http-equiv="pragma" content="no-cache" />
      But this will prevent the browser from caching the page, making the
      page much slower to load, so you shouldn't use it unless you have to.
      It also won't work in some browsers.
      Or you could use Javascript to prevent them from hitting the back
      button at all, but this is *really* annoying, and you can get around it
      easily by disabling Javascript. Still, it is useful sometimes in
      programs that I write only for my own use.

        Comment

        • DJ Craig
          #3
          Re: Can't end session with logout button

          They can hit the back button to get to that inventory page, but if you
          try to do anything on that page after logging out, it won't let them.
          If you really need to prevent them from being able to see that page by
          hitting the back button, insert the following meta tag in the head
          section:
          <meta http-equiv="pragma" content="no-cache" />
          But this will prevent the browser from caching the page, making the
          page much slower to load, so you shouldn't use it unless you have to.
          It also won't work in some browsers.
          Or you could use Javascript to prevent them from hitting the back
          button at all, but this is *really* annoying, and you can get around it
          easily by disabling Javascript. Still, it is useful sometimes in
          programs that I write only for my own use.

            Comment

            • chotiwallah
              #4
              Re: Can't end session with logout button


              DJ Craig wrote:[color=blue]
              > They can hit the back button to get to that inventory page, but if[/color]
              you[color=blue]
              > try to do anything on that page after logging out, it won't let them.
              > If you really need to prevent them from being able to see that page[/color]
              by[color=blue]
              > hitting the back button, insert the following meta tag in the head
              > section:
              > <meta http-equiv="pragma" content="no-cache" />
              > But this will prevent the browser from caching the page, making the
              > page much slower to load, so you shouldn't use it unless you have to.
              > It also won't work in some browsers.
              > Or you could use Javascript to prevent them from hitting the back
              > button at all, but this is *really* annoying, and you can get around[/color]
              it[color=blue]
              > easily by disabling Javascript. Still, it is useful sometimes in
              > programs that I write only for my own use.[/color]

              alternative to the caching: use something along the lines of

              if(!$_SESSION['auth']) { die('not logged in'); }

              at the top of each page. could be a redirect also.

              micha

                Comment

                • Jeff
                  #5
                  Re: Can't end session with logout button

                  Thanks, adding the line "<meta http-equiv="pragma" content="no-cache"
                  />" worked.

                  Micha, I already had the code below at the top of each page, but for
                  some reason it wouldn't do the redirect after hitting the "Back"
                  button. I'm still not sure why. Just because the page is being read
                  from the cache shouldn't mean it should ignore the PHP code at the
                  beginning of the page, which should have redirected the user to an
                  "error" page. I've seen numerous PHP driven web sites that have "log
                  off" buttons, and they don't allow the user go see their last page by
                  hitting "back" after they've logged off. I wonder if all of these sites
                  are using the "no cache" meta tag or some other mechanism? Thanks for
                  answering my posts guys.

                  <?php
                  session_start() ;

                  If (!$_SESSION['auth'] == 1)
                  {
                  header('locatio n:Error.php');
                  }
                  ?>

                    Comment

                    • Malcolm Dew-Jones
                      #6
                      Re: Can't end session with logout button

                      Jeff (jeffster86@hot mail.com) wrote:
                      : Thanks, adding the line "<meta http-equiv="pragma" content="no-cache"
                      : />" worked.

                      : Micha, I already had the code below at the top of each page, but for
                      : some reason it wouldn't do the redirect after hitting the "Back"
                      : button. I'm still not sure why. Just because the page is being read
                      : from the cache shouldn't mean it should ignore the PHP code at the
                      : beginning of the page,

                      But if the page is in the cache then your script is not being called to
                      display the page. The browser is displaying a previously saved copy of the
                      html generated by your php script.


                      : which should have redirected the user to an
                      : "error" page. I've seen numerous PHP driven web sites that have "log
                      : off" buttons, and they don't allow the user go see their last page by
                      : hitting "back" after they've logged off. I wonder if all of these sites
                      : are using the "no cache" meta tag or some other mechanism? Thanks for
                      : answering my posts guys.

                      It should be easy enough to examine their html to find out.


                      : <?php
                      : session_start() ;

                      : If (!$_SESSION['auth'] == 1)
                      : {
                      : header('locatio n:Error.php');
                      : }
                      : ?>


                      --

                      This space not for rent.

                        Comment

                        • Jeff
                          #7
                          Re: Can't end session with logout button

                          Thanks for the explanation. It makes sense now.

                            Comment

                            Previous template Next
                            Working...