Jump to content

Sessions and Cookies


samona

Recommended Posts

Hi,

 

I want to end a session when a registered user is asked to login again but enters the incorrect credentials.  I'm destroying the session and taking the user back to the login page, but for some reason when s/he clicks "back" on the browser s/he is able to get back into her/his account.  Any ideas?

Link to comment
Share on other sites

You might could implement some sort of redirect or page refresh into some of your pages.  Put it within an if statement so it doesn't continuously refresh or reload over and over.

 

This is javascript, but I use it sometimes after a database insert or form submit to keep people from being able to refresh the page or hit the back button and submit the same form twice.

<script type="text/javascript">
<!--
window.location = "http://www.google.com/"
//-->
</script>

 

Link to comment
Share on other sites

If an administrator is logged in and wishes to visit the admin pages he is required to login.  However, if his login fails he is sent to the login page and his session is destroyed.  Also, if a regular user attempts to login to the admin pages, his session is destroyed and he is sent back to the login page.  However, if he clicks back, he is still able to get into his account.  It seems as though the session isn't really destroyed.

 

if (!$session->isAdmin()) {

	$session->destroySession();	
	header('Location: ../login.php');	
	exit();	
}

 

public function destroySession()
	{			
		$_SESSION = array();
		session_destroy();

	}

Link to comment
Share on other sites

I don't know why they called it session_destroy(). It does not really destroy the session. The session data file is left on the server and the session cookie is left on the client. If you look at the manual for that function, the first example given does a lot more than call session_destroy(). Here is the code from the example:

<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();

// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}

// Finally, destroy the session.
session_destroy();
?>

 

It may be sufficient to clear the $_SESSION array, since that will remove all data from the session. Even if they go back to a previous page, a call to session_start() would result in an empty $_SESSION array; which should mean that there is NOT a logged in user.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.