NYCPHP Meetup

NYPHP.org

[nycphp-talk] Cannot unset $_POST during logout

max max at neuropunks.org
Wed Jul 20 12:07:32 EDT 2005 

Hello,
cant figure this out, Im trying to make it so once a user logs out, they cannot hit back and be logged back in - which im sure is trivial, but for some reason does not work with my code.
here is the code snippet from the beginning of index.php (which handles $_POST $_GET and does authentication/signup/proper page display):

<?
session_start();
require_once ("../conf/app.conf");

$page = new Page();

if ($_GET) {
        $get = input_process($_GET);
        if ($get[a] == "signup") {
                $page->body .= build_signup();
                $page->body .= build_survey();
                $page->htmlBuild("index");
                exit;
        }

        if ($get[a] == "logout") {
                unset($_POST);
                unset($_GET);
                unset($_SESSION);
                session_unset();
                session_destroy();
                $page->body = "You were successfully logged out";
                $page->htmlBuild("index");
                exit;
        }

}


?>

The code goes on for much more after that, but i would think these are the relevant parts.
I also tried inserting various header() cache control things, but that didnt work either. If I print_r($_POST) after I call unset()'s and session_destroy() its empty, so somehow the browser caches the $_POST and does not honor

header("Cache-Control: no-store, no-cache, must-revalidate");

which I used to have at the beginning of this page (after session_start() and before require_once())
I also tried replacing unset() with $_SESSION = array() and same for $_POST and $_GET but it still caches.
There are checks in the code for varous $_SESSION vars to be set to gain access to certain data, so you would think unset($_SESSION) would prevent access, but it doesnt.
Here is one of the checks:

if (count($_SESSION[user]) > 1) {
	echo "<br>This is protected content, only for authenticated users.";
} else {
	echo "<br>This is general content for everyone.";
}

That is in the html that gets called by $page->htmlBuild function, and it still gets bypassed due to caching (of $_POST i would assume)
So I am a little confused now, I looked at some other code and it looks like checking for certain $_SESSION vars being set is an acceptable authentication verification method, but it fails for me.

Thanks for any input!

max

More information about the talk mailing list
Automatic Email Organization without missing anything!