need help w/session_destroy()

[drranch]

:-\

I'm using a logout script, but when I select the back browser button I'm still logged in.  Here is the code.....

session_start();

if(!isset($_REQUEST['logmeout'])){
    echo "<center>Are you sure you want to logout?</center><br />";
    echo "<center><a href=logout.php?logmeout=true>Yes</a> |
    <a href=javascript:history.back()>No</a>";
} else {
session_destroy();
}
?>

[drranch]

so I figured out that this only ends the session on the file system and not the session cookie from the browser.  How would I remove the session cookie from the browser? ???

[Moon-Man.net]

Its a bit of a hack, but maby set it to something that isnt going to be valid. EG  i use "in" and "out" for my logged in session, and it just gets set to "als;dfjnasf" if they are logged out.
and when i validate if they are logged in, obviousally "asdfaSDF" isnt a valid entry, so it rejects them.
Might help.
Cheers,
Nathan

[redarrow]

A session is set untill you close the browser ok.


you could try unset($session_name); ok

[Rich464]

when wanting to end a session it is essential that you unset any session variables you have previously set, eg,

session_start();

if(!isset($_REQUEST['logmeout'])){
    echo "<center>Are you sure you want to logout?</center>";
    echo "<center><a href=logout.php?logmeout=true>Yes[/url] |
    <a href=javascript:history.back()>No[/url]";
} else {
[color=green]unset($_SESSION['session_var_here']);[/color]
session_destroy();
}
?>

so you need to use unset(); on any session vars before you call session_destroy() or you will get the the problem you detailed

[redarrow]

Also read this as a refrence ok.


session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie.

In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.

[Rich464]

assuming that the unique session ID is used as part of the authentication method otherwise there is no need to delete the cookie only to unset any global session variables and to call the session destroy function

[redarrow]

god dam your grate rich!

[Rich464]

if that was supposed to say 'great' then thanx :)

but not as great as these forums ;)

[drranch]

???

So I added the unset $_SESSION["session_id"], but I'm still logged in when I select the browsers back button.  ::)

I'm reading up on this schtuff at .....http://www.captain.at/howto-php-sessions.php

And its making sense more and more....