destroying session??

Re: destroying session??

john wrote:
[color=blue]
> Hi
> I am having a simple login & logout script which are as follow:
>
> login.php
> <?php
> session_start() ;
> $_SESSION["username"]=$_POST["username"];
> ?>
>
> logout.php
>
> <?php
> session_start() ;
> session_unset() ;
> session_destroy ();
> ?>
> The problem is:
> After runnig the logout script if the user hits the back button on the
> browser he appears to be logged in again i.e. the sessions are not
> destroyed or the browser caches the info. Please help.[/color]

Hi,

The session is destroyed.
The browser is just getting info out of the cache.
This can be very annoying.

You could try to add a header to all your scripts that contains Expiration
Date. and cache policies.
Google for it.

IMPORTANT: Remember that it is NOT in your hands what a browser does.
You have no 100% control over it. The expirationdate and proxie policies you
put into your headers are only suggestions. They can be ignored by browsers
or proxieservers.

Regards,
Erwin Moller

Re: destroying session??

Hi
Thanks for your reply.
But still the problem exists.
Even if I set the following headers in all of my pages
header( "Expires: Mon, 20 Dec 1998 01:00:00 GMT" );
header( "Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT" );
header( "Cache-Control: no-cache, must-revalidate" );
header( "Pragma: no-cache" );

After logout if user hits the back button, user is still logged in.

Re: destroying session??

john wrote:
[color=blue]
> Hi
> Thanks for your reply.
> But still the problem exists.
> Even if I set the following headers in all of my pages
> header( "Expires: Mon, 20 Dec 1998 01:00:00 GMT" );
> header( "Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT" );
> header( "Cache-Control: no-cache, must-revalidate" );
> header( "Pragma: no-cache" );
>
> After logout if user hits the back button, user is still logged in.[/color]

Is the user still logged in?
Also if you do a refresh on that page?
(try SHIFT-reload and CTRL-reload)

If the session still exists that means a new session is build up.
That means in your php.ini you probably have settings that always build up a
session.

If you want to check if a user logged in, it is better and more general to
do the following:
1) stop using session_start() and the like. Just build up a session always.
(I am assuming you use PHP 4.2 or higher)
2) when a user logs in succesfully, add to session:

[login_process.p hp]
if ('username and password correct') {
$_SESSION["loggedin"] = "Y";
}

now on every page that requires a logged in user add a little scipt (or use
an include, that is easier)

--------------------------------
// check if user is logged in:
$loggedincheck = false;
if (isset($_SESSIO N["loggedin"])){
// exists, but right value?
if ($_SESSION["loggedin"] == "Y"){
$loggedincheck = true;
}
}

if (!$loggedinchec k){
// go away!
header("Locatio n: login.php");
exit;
}
----------------------------------

Now, if somebody logs out, you just unset the whole session, or maybe alone
the "loggedin".


In this way you always have a session, but you check for the 'loggedin'.
I found out this is much easier, and better to understand than the
session_start() , combined with the php.ini settings.

Good luck,
Erwin Moller