NYCPHP Meetup

[Hans Zaunere]

On Wednesday, July 20, 2005 12:08 PM, talk-bounces at lists.nyphp.org
wrote: 
> Hello,
> cant figure this out, Im trying to make it so once a user
> logs out, they cannot hit back and be logged back in - which
> im sure is trivial, but for some reason does not work with my code.
> here is the code snippet from the beginning of index.php
> (which handles $_POST $_GET and does
> authentication/signup/proper page display):
> 
> <?
> session_start();
> require_once ("../conf/app.conf");
> 
> $page = new Page();
> 
> if ($_GET) {
>         $get = input_process($_GET);
>         if ($get[a] == "signup") {
>                 $page->body .= build_signup();
>                 $page->body .= build_survey();
>                 $page->htmlBuild("index");
>                 exit;
>         }
> 
>         if ($get[a] == "logout") {
>                 unset($_POST);
>                 unset($_GET);
>                 unset($_SESSION);
>                 session_unset();
>                 session_destroy();
>                 $page->body = "You were successfully logged out";
>                 $page->htmlBuild("index");
>                 exit;
>         }
> 
> }
> 
> 
> > 
> 
> The code goes on for much more after that, but i would think
> these are the relevant parts.
> I also tried inserting various header() cache control things,
> but that didnt work either. If I print_r($_POST) after I call
> unset()'s and session_destroy() its empty, so somehow the
> browser caches the $_POST and does not honor
> 
> header("Cache-Control: no-store, no-cache, must-revalidate");
> 
> which I used to have at the beginning of this page (after
> session_start() and before require_once())
> I also tried replacing unset() with $_SESSION = array() and
> same for $_POST and $_GET but it still caches.
> There are checks in the code for varous $_SESSION vars to be
> set to gain access to certain data, so you would think
> unset($_SESSION) would prevent access, but it doesnt.
> Here is one of the checks:
> 
> if (count($_SESSION[user]) > 1) {
> 	echo "<br>This is protected content, only for
> authenticated users.";
> } else {
> 	echo "<br>This is general content for everyone.";
> }
> 
> That is in the html that gets called by $page->htmlBuild
> function, and it still gets bypassed due to caching (of $_POST i
> would assume) So I am a little confused now, I looked at some other
> code 
> and it looks like checking for certain $_SESSION vars being
> set is an acceptable authentication verification method, but
> it fails for me.

There are a couple of different issues here.

Number, is to destroy the session, which you're doing.  The basic procedure at:

http://us2.php.net/session_destroy 

should suffice.

Now regardless of whether the user hits the back button or not, his session will be dead.  Keep in mind that sessions are stored on the server, and once you destroy it, and properly handle any cookies if they exist, you've effectively logged them out.

$_POST and $_GET will be set in PHP regardless of a session.  They are created automatically if there's such a request from the browser, and shouldn't be depended on for a session.  Instead, the state of the session, using the functions in the above URL, should be used to qualify whether a session is active, and thus if they have the correct credentials.  Then, $_GET and $_POST can be acted upon accordingly.

Hope that helps a little,


---
Hans Zaunere
President, Founder
New York PHP
http://www.nyphp.org

AMP Technology
Supporting Apache, MySQL and PHP