Apache Friends Support Forum

[manddox]

Hello everyone,

I am unable to logout from sessions even after I have unset the session variables and used session_destroy() function. In order to logout I am just using the link to my logout.php page. The link is as follows:

Code: Select all

<a href='posts.php'>Home</a> || <a href='logout.php'>Logout</a>

And the logout.php page is as follows:

Code: Select all

<?php
session_start();
unset($_SESSION['username']);  //Unset the $_SESSION array value

/* unset($_SESSION['password']);
unset($_SESSION['user_id']); */

if (isset($_SESSION['username']))
{
  $_SESSION['username'] = "";
} 

/* if ( isset($password) )
{
   @setcookie( "password", $password );
} */

session_unset();
session_destroy(); // Logout of the site
if(!isset($_SESSION["username"]))
{
   echo 'You have successfully logged out!<br/>';
   echo 'To enter again, please <a href="login.php">login!</a>';
   exit;
}
?>

After logging out if i click the back button on my browser I am able to view the pages which should not be the case and also when I click on the login link, it logs me in without any prompt for the username and password. But when I clear the cache from my browser, it gives me the prompt for username and password upon clicking in the login link. So, basically the cache is not getting cleared when I log out but clearing the cache manually does the job. Please help me guys with this as am new to php programming! thanks in advance!.

Please put some light and help me on this!

[glitzi85]

1) Your Logout procedure is quite long. Did you check the PHP manual? http://de.php.net/manual/en/function.session-destroy.php

2) It is not possible to clear the cache of a browser from the webserver. However, you can try to prevent the browser from caching: http://www.faqts.com/knowledge_base/view.phtml/aid/23514/fid/51

glitzi

[roman2]

It shouldn't be necessary to clear browser's cache to log somebody out. Otherwise, it would mean that your site's security would depend on users' actions. There must be an error. Likely in your login file. Can you post it?

Here's what I do in my logout function, which has always worked on both Windows and Linux:

Code: Select all

   
      // Delete the session cookie.
      if(isset($_COOKIE[session_name()])) {
         setcookie(session_name(), '', time()-42000, '/');
      }
      
      session_destroy();

You may also want to try this before you exit your script: session_write_close();

[roman2]

Here's what you need to read: http://php.net/manual/en/function.session-destroy.php:

In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.

Also, read a comment by vmbharathi at http://php.net/manual/en/function.session-unset.php

But even if you unset a variable on logging out that you check upon logging in, what you do should work. Do post your login.php here.

[manddox]

Sorry for the late reply...was out of town!! One thing I am confused about here is that...am I supposed to assign a variable like the 'username' to session_name() or does it return the name of the current session without me doing anything here?? As in the PHP manual, it says that session_name() returns the current session name....what does it mean by this? Do I have to name my session?

Below is my login.php page. Please check if there is any loop hole here!!

Code: Select all

<?php
require_once("../db_login.php");
require_once('config.php');
require_once("Auth/HTTP.php");
$AuthOptions = array( 'dsn' => "mysql://$db_username:$db_password@$db_host/$db_database",
                 'table' => "users",
                 'usernamecol' => "username",
                 'passwordcol' => "password",
                 'cryptType' => "md5",
                 'db_fields' => "*"
               );
$authenticate = new Auth_HTTP("DB",$AuthOptions);
$authenticate->setRealm('Member Area');
$authenticate->setCancelText('<h2>Access Denied</h2>');
$authenticate->start();
if($authenticate->getAuth())
{
   session_start();
   $smarty->assign('blog_title', $blog_title);
   $smarty->display('header.tpl');
   $_SESSION['username'] = $authenticate->username;
   $_SESSION['first_name'] = $authenticate->getAuthData('first_name');
   $_SESSION['last_name'] = $authenticate->getAuthData('last_name');
   $_SESSION['user_id'] = $authenticate->getAuthData('user_id');
   echo "Login Successful! Great to see you back ";
   echo $authenticate->getAuthData('first_name');
   echo " ";
   echo $authenticate->getAuthData('last_name').".<br />";
   $smarty->display('footer.tpl');
}
?>