PHP Sessions in FireFox!?

[libertyct]

So i have a simple logout script which runs the following lines of code:

 

<?php

session_start();

/*
when user logs out
destroy the array in the session object and redirect to the
default index page
*/

session_destroy();
echo '<meta http-equiv="refresh" content="0; url=index.php">'; 

?>

 

the problem is, this script works fine in IE but the session still remains live when I test it in Firefox? How could i get around this?

[dannyb785]

how can you tell the session is still active?

[DarkWater]

I kill my sessions with:

 

$_SESSION = array();

session_destroy();

setcookie(session_name(), '', time()-300, '/', '', 0);

 

[libertyct]

how can you tell the session is still active?

 

when i back page in Firefox it lets me go back into the site, and the validation code that i added on those pages reflects that a valid session is still active so the error message or the prompt to login does not work, but i do not seem to have this problem when i run the exact same script in IE.

[DarkWater]

Try my code.

[anon_login_001]

when i back page in Firefox

 

Do you mean you hit the back button?

 

Is this a Cacheing issue? After going Back, try using the Refresh button.

[libertyct]

when i back page in Firefox

 

Do you mean you hit the back button?

 

Is this a Cacheing issue? After going Back, try using the Refresh button.

 

i have to agree i think its a cacheing issue because as soon as i refresh, the validation code works. how best can i get around FireFox's cacheing behavior?

[revraz]

Not sure if it really matters, since they really shouldn't be able to perform any action on that page anyway, all they are seeing is what they were able to see before anyways.  If they perform any action, your validation code should kick in and not process it.

[ag3nt42]

i simply use

 

<?php

session_start(); //TO START

 

and

 

session_destroy(); // TO END

 

I have tested them both in IE7 and in FF2

 

I get zero problems but may just be the situation I guess..

however I don't allow the users to do anything with forms once they are logged out..

I deny access to the pages..

[revraz]

Yep, that does kill the session, but he's seeing the Cached page not the actual page.

[ag3nt42]

why is he sending users back to a form if they are logged out tho?

 

and if he is automatically redirecting them.. the back button shouldn't matter.. and he shouldn't be seeing a cached page.

[.josh]

He's talking about when the user clicks the back button on their browser.  Pressing the back button usually brings a cached page up.  It doesn't automatically send for a new page load. ..

[revraz]

Unless their browser is set to always check for new pages.

[ag3nt42]

So i have a simple logout script which runs the following lines of code:

 

<?php

session_start();

/*
when user logs out
destroy the array in the session object and redirect to the
default index page
*/

session_destroy();
echo '<meta http-equiv="refresh" content="0; url=index.php">'; 

?>

 

no it doesn't .. he is

 

with this script the user should not even have time to hit their back button

[DarkWater]

Please try my code.  Look, directly from the PHP manual:

 

session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie.

 

In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.

 

Okay?  I know for a fact that my code works.

[ag3nt42]

in the php manual it states that session_destroy();

 

gets rid of ALL session data... this would obviously include $_SESSION

 

I use the $_SESSION and my values are destroyed

[DarkWater]

Please read the cookies part.

[ag3nt42]

I read that..

 

but if thats true the how come my login/logout script works?

 

it must be destroying it.

 

I"m not sayin for him not to try you code.. but it just seems like his problem is more the cached page problem.. in which he still shouldn't have a problem because he is automatically redirecting them.

[DarkWater]

If the cookies are destroyed, it might not cache it.

[ag3nt42]

my question is.. why does the cookies matter ne ways if he is not including them into his script?

 

if he isn't referencing to their script and the cookie simply holds the session ID then there should be no problem

[DarkWater]

The browser sees that it has the same cookies so it figures that it will have the same content, so it caches it.  =/  Now let's stop debating and wait for his response.

[libertyct]

@ DarkWater thanks your code works but I think revraz / ag3nt42 said it best, its the cached page that is being displayed and causing these problems.

 

I will explain it a little further. The page i am working on is a simple page with a list of items from a database, something like an inbox in yahoo as an example. When the users chooses to sign out from that page, the sign-out button takes them to a page that contains that sign-out script, the script runs and redirects the person to the default or sign-in page.

 

now the problem is, in IE when i sign-out, it works, and if i try to back-page after signing out, the validation code in the inbox page will detect an invalid session object and throw an error. On the other hand if i do the same sign-out and do a back page in FF, i will see the inbox page as it looked before i signed out so i have to refresh the page to clear the cache and to let the validation kick in.

 

this is automatically done in IE but not in FF?

[ag3nt42]

i still don't understand how you are using the back button if you've redirected the user from the logout page to the index page the back button should take then to the logout page again which would result in error

 

is your logout script a popup?

[LooieENG]

I don't understand what the problem is. What's wrong with them seeing the page if they saw it before? They shouldn't be pressing back anyway...

[PFMaBiSmAd]

If this is due to the form data being resubmitted, logging the person back in, the solution is for the page that is the target of the form's action="..." parameter to redirect to a different page. In this case the back button (or browsing) to the various pages won't result in the form data being resubmitted (works as expected in FF and IE.)

 

If this is not what is occurring, then we need to see the code along with an explanation of which file the problem occurs in and in which order the files are visited when the problem is occurring.

 

P.S. Unsetting the session cookie (or any other cookie) is a waste of time. All someone needs to do is make a copy of the cookie and put it back after you delete it. Logging someone out should only be dependent on information located on the server.

 

To the members asking why the back-button (or browsing to a page) and getting logged back in is a problem, suppose you log out and leave your desk. Anyone can walk up to your computer and hit the back-button or view the address history and select a page you were just on. Do you want them to become logged in?