php sessions,logouts & the bloomin back button!

[jarvis]

Hi All,

 

I've got a cms that members can log into. When they logout, the session is destroyed, however, if you click the back button, you can get back into the CMS.

 

How can I get around this?

My logout code has

$_SESSION = array(); // Destroy the variables.
session_destroy(); // Destroy the session itself.
setcookie (session_name(), '', time()-300, '/', '', 0); // Destroy the cookie.

I've also tried adding this to my header file

// HTTP/1.1
        header("cache-Control: no-store, no-cache, must-revalidate");
        header("cache-Control: post-check=0, pre-check=0", false);
        // HTTP/1.0
        header("Pragma: no-cache");
        // Date in the past
        header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
        // always modified
        header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); 

// This page begins the HTML header for the site.

// Start output buffering.
ob_start();

// Initialize a session.
session_start(); 

 

Am i doing something wrong?

 

thanks

[MadTechie]

Hummm, when it goes back into the CMS, do they still have their access rights ?

also do you have a logged in check at the start of the CMS page ?

ie

session_start();
if(empty($_SESSION['UserID'])) header("Location: login.php");

[jarvis]

Hi MadTechie,

 

They do still have there rights. The code on my login page is

	// Query the database.
	$query = "SELECT user_id, name, acc_type FROM users WHERE (email='$e' AND pass=SHA('$p')) AND active IS NULL";	
	$result = mysql_query ($query) or trigger_error("Query: $query\n<br />MySQL Error: " . mysql_error());

		if (@mysql_num_rows($result) == 1) { // A match was made.

		// Register the values & redirect.
		$row = mysql_fetch_array ($result, MYSQL_NUM); 
		mysql_free_result($result);
		mysql_close(); // Close the database connection.
		$_SESSION['user_id'] = $row[0];
		$_SESSION['name'] = $row[1];
		$_SESSION['acc_type'] = $row[2];

		// Start defining the URL.
		$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
		// Check for a trailing slash.
		if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
			$url = substr ($url, 0, -1); // Chop off the slash.
		}

		// Add the page.
		$url .= '/category.php';

		ob_end_clean(); // Delete the buffer.	
		header("Location: $url");
		exit(); // Quit the script.

 

Does that help?

[MadTechie]

Okay thats the login, that should stay the same,

But what about pages inside the CMS,

 

ie

Just say you have 4 pages

index.php //All users

members.php //Logged in members

login.php //login (sets sessions)

admin.php //Logged in admins only

 

Now, when someone goes to admin.php, the system checks to see if they are logged in and an administrator..

and the same for members.php (but with lower access rights)

 

What's the code to check the access right on the page irself ?

[jarvis]

Sorry, the code on the pages is like:

// If no first_name variable exists, redirect the user.
if (!isset($_SESSION['name'])) {

// Start defining the URL.
$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
// Check for a trailing slash.
if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
	$url = substr ($url, 0, -1); // Chop off the slash.
}
// Add the page.
$url .= '/index.php';

ob_end_clean(); // Delete the buffer.
header("Location: $url");
exit(); // Quit the script.

} else {
//run the script...

Some pages use an id as well depending on what rights the user has.

 

THANKS

[MadTechie]

Can you post the full logout route/script..

if the above is the full script then you have missed the

session_start(); 

from the start!

[jarvis]

Ok, here's 4 scripts:

- login

- a secure page

- the header include

- logout

 

Login

*****

<?php 
// This is the login page for the site.

// Include the configuration file for error management and such.
require_once ('./includes/config.inc.php'); 

// Set the page title and include the HTML header.
$page_title = 'Login';
include ('./includes/header.html');

if (isset($_POST['submitted'])) { // Check if the form has been submitted.

require_once ('../mysql_connect.php'); // Connect to the database.

// Validate the email address.	
if (!empty($_POST['email'])) {
	$e = escape_data($_POST['email']);
} else {
	echo '<p class="error">You forgot to enter your email address!</p>';
	$e = FALSE;
}

// Validate the password.
if (!empty($_POST['pass'])) {
	$p = escape_data($_POST['pass']);
} else {
	$p = FALSE;
	echo '<p class="error">You forgot to enter your password!</p>';
}

if ($e && $p) { // If everything's OK.

	// Query the database.
	$query = "SELECT user_id, name, acc_type FROM users WHERE (email='$e' AND pass=SHA('$p')) AND active IS NULL";	
	$result = mysql_query ($query) or trigger_error("Query: $query\n<br />MySQL Error: " . mysql_error());

		if (@mysql_num_rows($result) == 1) { // A match was made.

		// Register the values & redirect.
		$row = mysql_fetch_array ($result, MYSQL_NUM); 
		mysql_free_result($result);
		mysql_close(); // Close the database connection.
		$_SESSION['user_id'] = $row[0];
		$_SESSION['name'] = $row[1];
		$_SESSION['acc_type'] = $row[2];

		// Start defining the URL.
		$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
		// Check for a trailing slash.
		if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
			$url = substr ($url, 0, -1); // Chop off the slash.
		}

		// Add the page.
		$url .= '/category.php';

		ob_end_clean(); // Delete the buffer.	
		header("Location: $url");
		exit(); // Quit the script.

	} else { // No match was made.
		echo '<p class="error">Either the email address and password entered do not match those on file or you have not yet activated your account.</p>'; 
	}

} else { // If everything wasn't OK.
	echo '<p class="error">Please try again.</p>';		
}

mysql_close(); // Close the database connection.

} // End of SUBMIT conditional.
?>

 

Secure page

***********

<?php 
// This page allows users to add categories to the database.

// Set the page title and include the HTML header.
$page_title = 'Add a Category';
include ('./includes/header.html');
include('saveThumbCategories.php');

// If no first_name variable exists, redirect the user.
if (!isset($_SESSION['name'])) {

// Start defining the URL.
$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
// Check for a trailing slash.
if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
	$url = substr ($url, 0, -1); // Chop off the slash.
}
// Add the page.
$url .= '/index.php';

ob_end_clean(); // Delete the buffer.
header("Location: $url");
exit(); // Quit the script.

} else {
?>

 

The header include has

**********************

<?php 
// This page begins the HTML header for the site.

// Start output buffering.
ob_start();

// Initialize a session.
session_start(); 


?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

 

Logout

******

<?php 
// This is the logout page for the site.

// Include the configuration file for error management and such.
require_once ('./includes/config.inc.php'); 

// Set the page title and include the HTML header.
$page_title = 'Logout';
include ('./includes/header.html');

// If no first_name variable exists, redirect the user.
if (!isset($_SESSION['first_name'])) {

// Start defining the URL.
$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
// Check for a trailing slash.
if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
	$url = substr ($url, 0, -1); // Chop off the slash.
}
// Add the page.
$url .= '/index.php';

ob_end_clean(); // Delete the buffer.
header("Location: $url");
exit(); // Quit the script.

} else { // Logout the user.
		$user_id = $_SESSION['user_id'];

		require_once('../mysql_connect.php');// Connect to the db

		// Create a new, random password.
		$p = substr ( md5(uniqid(rand(),1)), 3, 10);

		// Make the query.
		$query = "UPDATE users SET pass=SHA('$p') WHERE user_id=$user_id";		
		$result = mysql_query ($query) or trigger_error("Query: $query\n<br />MySQL Error: " . mysql_error());
		if (mysql_affected_rows() == 1) { // If it ran OK.
			#echo 'pw reset';
		}


		// Send an email.
		$body = "Your password to log into Lemon Ribbon has been temporarily changed to '$p'. Please log in using this password and your username. At that time you may change your password to something more familiar.";
		#mail ($_POST['email'], 'Your temporary password.', $body, 'From: admin@sitename.com');
		mail ('test@test.co.uk', 'Your temporary password.', $body, 'From: admin@sitename.com');
		echo '<h3>Your password has been changed. You will receive the new, temporary password at the email address with which you registered. Once you have logged in with this password, you may change it by clicking on the "Change Password" link.</h3>';
		mysql_close(); // Close the database connection.


$_SESSION = array(); // Destroy the variables.
session_destroy(); // Destroy the session itself.
setcookie (session_name(), '', time()-300, '/', '', 0); // Destroy the cookie.

}

// Print a customized message.

echo "<h3>You are now logged out.</h3>";

include ('./includes/footer.html');
?>

 

Does that help at all? Thank you for your time & assistance on this, it's very much appreciated!

[PFMaBiSmAd]

Add the following two lines of code immediately after your first opening <?php tag in the logout code -

ini_set("display_errors", "1");
error_reporting(E_ALL);

 

Why is your logout code testing $_SESSION['first_name']? Your log in code is not setting that, so it is highly likely that your log out code is not doing what you think.

 

Also, why is your log out code producing and assigning a new password every time someone logs out?

[jarvis]

Hi PFMaBiSmAd

 

What will those lines of code show? Also, that is an error on my part, the logout script shouldn't used first_name but name.

 

As for the new password on signout, this is something that's required. The idea is that when they logout, the password is reset & the member has to request a new log in. Something the client wanted!

 

Thanks

[jarvis]

Hi,

 

It was the first_name not name issue in the logout script! Thank you so much!