jarvis Posted November 29, 2009 Share Posted November 29, 2009 Hi All, I've got a cms that members can log into. When they logout, the session is destroyed, however, if you click the back button, you can get back into the CMS. How can I get around this? My logout code has $_SESSION = array(); // Destroy the variables. session_destroy(); // Destroy the session itself. setcookie (session_name(), '', time()-300, '/', '', 0); // Destroy the cookie. I've also tried adding this to my header file // HTTP/1.1 header("cache-Control: no-store, no-cache, must-revalidate"); header("cache-Control: post-check=0, pre-check=0", false); // HTTP/1.0 header("Pragma: no-cache"); // Date in the past header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); // always modified header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); // This page begins the HTML header for the site. // Start output buffering. ob_start(); // Initialize a session. session_start(); Am i doing something wrong? thanks Quote Link to comment https://forums.phpfreaks.com/topic/183290-php-sessionslogouts-the-bloomin-back-button/ Share on other sites More sharing options...
MadTechie Posted November 29, 2009 Share Posted November 29, 2009 Hummm, when it goes back into the CMS, do they still have their access rights ? also do you have a logged in check at the start of the CMS page ? ie session_start(); if(empty($_SESSION['UserID'])) header("Location: login.php"); Quote Link to comment https://forums.phpfreaks.com/topic/183290-php-sessionslogouts-the-bloomin-back-button/#findComment-967446 Share on other sites More sharing options...
jarvis Posted November 29, 2009 Author Share Posted November 29, 2009 Hi MadTechie, They do still have there rights. The code on my login page is // Query the database. $query = "SELECT user_id, name, acc_type FROM users WHERE (email='$e' AND pass=SHA('$p')) AND active IS NULL"; $result = mysql_query ($query) or trigger_error("Query: $query\n<br />MySQL Error: " . mysql_error()); if (@mysql_num_rows($result) == 1) { // A match was made. // Register the values & redirect. $row = mysql_fetch_array ($result, MYSQL_NUM); mysql_free_result($result); mysql_close(); // Close the database connection. $_SESSION['user_id'] = $row[0]; $_SESSION['name'] = $row[1]; $_SESSION['acc_type'] = $row[2]; // Start defining the URL. $url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']); // Check for a trailing slash. if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) { $url = substr ($url, 0, -1); // Chop off the slash. } // Add the page. $url .= '/category.php'; ob_end_clean(); // Delete the buffer. header("Location: $url"); exit(); // Quit the script. Does that help? Quote Link to comment https://forums.phpfreaks.com/topic/183290-php-sessionslogouts-the-bloomin-back-button/#findComment-967448 Share on other sites More sharing options...
MadTechie Posted November 29, 2009 Share Posted November 29, 2009 Okay thats the login, that should stay the same, But what about pages inside the CMS, ie Just say you have 4 pages index.php //All users members.php //Logged in members login.php //login (sets sessions) admin.php //Logged in admins only Now, when someone goes to admin.php, the system checks to see if they are logged in and an administrator.. and the same for members.php (but with lower access rights) What's the code to check the access right on the page irself ? Quote Link to comment https://forums.phpfreaks.com/topic/183290-php-sessionslogouts-the-bloomin-back-button/#findComment-967463 Share on other sites More sharing options...
jarvis Posted November 29, 2009 Author Share Posted November 29, 2009 Sorry, the code on the pages is like: // If no first_name variable exists, redirect the user. if (!isset($_SESSION['name'])) { // Start defining the URL. $url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']); // Check for a trailing slash. if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) { $url = substr ($url, 0, -1); // Chop off the slash. } // Add the page. $url .= '/index.php'; ob_end_clean(); // Delete the buffer. header("Location: $url"); exit(); // Quit the script. } else { //run the script... Some pages use an id as well depending on what rights the user has. THANKS Quote Link to comment https://forums.phpfreaks.com/topic/183290-php-sessionslogouts-the-bloomin-back-button/#findComment-967474 Share on other sites More sharing options...
MadTechie Posted November 29, 2009 Share Posted November 29, 2009 Can you post the full logout route/script.. if the above is the full script then you have missed the session_start(); from the start! Quote Link to comment https://forums.phpfreaks.com/topic/183290-php-sessionslogouts-the-bloomin-back-button/#findComment-967479 Share on other sites More sharing options...
jarvis Posted November 29, 2009 Author Share Posted November 29, 2009 Ok, here's 4 scripts: - login - a secure page - the header include - logout Login ***** <?php // This is the login page for the site. // Include the configuration file for error management and such. require_once ('./includes/config.inc.php'); // Set the page title and include the HTML header. $page_title = 'Login'; include ('./includes/header.html'); if (isset($_POST['submitted'])) { // Check if the form has been submitted. require_once ('../mysql_connect.php'); // Connect to the database. // Validate the email address. if (!empty($_POST['email'])) { $e = escape_data($_POST['email']); } else { echo '<p class="error">You forgot to enter your email address!</p>'; $e = FALSE; } // Validate the password. if (!empty($_POST['pass'])) { $p = escape_data($_POST['pass']); } else { $p = FALSE; echo '<p class="error">You forgot to enter your password!</p>'; } if ($e && $p) { // If everything's OK. // Query the database. $query = "SELECT user_id, name, acc_type FROM users WHERE (email='$e' AND pass=SHA('$p')) AND active IS NULL"; $result = mysql_query ($query) or trigger_error("Query: $query\n<br />MySQL Error: " . mysql_error()); if (@mysql_num_rows($result) == 1) { // A match was made. // Register the values & redirect. $row = mysql_fetch_array ($result, MYSQL_NUM); mysql_free_result($result); mysql_close(); // Close the database connection. $_SESSION['user_id'] = $row[0]; $_SESSION['name'] = $row[1]; $_SESSION['acc_type'] = $row[2]; // Start defining the URL. $url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']); // Check for a trailing slash. if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) { $url = substr ($url, 0, -1); // Chop off the slash. } // Add the page. $url .= '/category.php'; ob_end_clean(); // Delete the buffer. header("Location: $url"); exit(); // Quit the script. } else { // No match was made. echo '<p class="error">Either the email address and password entered do not match those on file or you have not yet activated your account.</p>'; } } else { // If everything wasn't OK. echo '<p class="error">Please try again.</p>'; } mysql_close(); // Close the database connection. } // End of SUBMIT conditional. ?> Secure page *********** <?php // This page allows users to add categories to the database. // Set the page title and include the HTML header. $page_title = 'Add a Category'; include ('./includes/header.html'); include('saveThumbCategories.php'); // If no first_name variable exists, redirect the user. if (!isset($_SESSION['name'])) { // Start defining the URL. $url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']); // Check for a trailing slash. if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) { $url = substr ($url, 0, -1); // Chop off the slash. } // Add the page. $url .= '/index.php'; ob_end_clean(); // Delete the buffer. header("Location: $url"); exit(); // Quit the script. } else { ?> The header include has ********************** <?php // This page begins the HTML header for the site. // Start output buffering. ob_start(); // Initialize a session. session_start(); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> Logout ****** <?php // This is the logout page for the site. // Include the configuration file for error management and such. require_once ('./includes/config.inc.php'); // Set the page title and include the HTML header. $page_title = 'Logout'; include ('./includes/header.html'); // If no first_name variable exists, redirect the user. if (!isset($_SESSION['first_name'])) { // Start defining the URL. $url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']); // Check for a trailing slash. if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) { $url = substr ($url, 0, -1); // Chop off the slash. } // Add the page. $url .= '/index.php'; ob_end_clean(); // Delete the buffer. header("Location: $url"); exit(); // Quit the script. } else { // Logout the user. $user_id = $_SESSION['user_id']; require_once('../mysql_connect.php');// Connect to the db // Create a new, random password. $p = substr ( md5(uniqid(rand(),1)), 3, 10); // Make the query. $query = "UPDATE users SET pass=SHA('$p') WHERE user_id=$user_id"; $result = mysql_query ($query) or trigger_error("Query: $query\n<br />MySQL Error: " . mysql_error()); if (mysql_affected_rows() == 1) { // If it ran OK. #echo 'pw reset'; } // Send an email. $body = "Your password to log into Lemon Ribbon has been temporarily changed to '$p'. Please log in using this password and your username. At that time you may change your password to something more familiar."; #mail ($_POST['email'], 'Your temporary password.', $body, 'From: admin@sitename.com'); mail ('test@test.co.uk', 'Your temporary password.', $body, 'From: admin@sitename.com'); echo '<h3>Your password has been changed. You will receive the new, temporary password at the email address with which you registered. Once you have logged in with this password, you may change it by clicking on the "Change Password" link.</h3>'; mysql_close(); // Close the database connection. $_SESSION = array(); // Destroy the variables. session_destroy(); // Destroy the session itself. setcookie (session_name(), '', time()-300, '/', '', 0); // Destroy the cookie. } // Print a customized message. echo "<h3>You are now logged out.</h3>"; include ('./includes/footer.html'); ?> Does that help at all? Thank you for your time & assistance on this, it's very much appreciated! Quote Link to comment https://forums.phpfreaks.com/topic/183290-php-sessionslogouts-the-bloomin-back-button/#findComment-967576 Share on other sites More sharing options...
PFMaBiSmAd Posted November 29, 2009 Share Posted November 29, 2009 Add the following two lines of code immediately after your first opening <?php tag in the logout code - ini_set("display_errors", "1"); error_reporting(E_ALL); Why is your logout code testing $_SESSION['first_name']? Your log in code is not setting that, so it is highly likely that your log out code is not doing what you think. Also, why is your log out code producing and assigning a new password every time someone logs out? Quote Link to comment https://forums.phpfreaks.com/topic/183290-php-sessionslogouts-the-bloomin-back-button/#findComment-967580 Share on other sites More sharing options...
jarvis Posted November 30, 2009 Author Share Posted November 30, 2009 Hi PFMaBiSmAd What will those lines of code show? Also, that is an error on my part, the logout script shouldn't used first_name but name. As for the new password on signout, this is something that's required. The idea is that when they logout, the password is reset & the member has to request a new log in. Something the client wanted! Thanks Quote Link to comment https://forums.phpfreaks.com/topic/183290-php-sessionslogouts-the-bloomin-back-button/#findComment-968014 Share on other sites More sharing options...
jarvis Posted November 30, 2009 Author Share Posted November 30, 2009 Hi, It was the first_name not name issue in the logout script! Thank you so much! Quote Link to comment https://forums.phpfreaks.com/topic/183290-php-sessionslogouts-the-bloomin-back-button/#findComment-968028 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.