SearchSearch   

cookie deletion upon logging off in php

  
   Webmaster Forums (Home) -> PHP MySQL RSS
Next:  Count deleted records  
Author Message
jayadiesel

External


Since: Oct 02, 2008
Posts: 3



(Msg. 1) Posted: Thu Oct 02, 2008 12:29 am
Post subject: cookie deletion upon logging off in php
Archived from groups: alt>php>sql (more info?)
i have developed a localhost site utilizing session with cookie. i
found this issue somehow:
after navigating for some time, soon i wanted logging out (and
inherently deleting session with session_destroy()).
To my surprise, when i press back button and dialog window popped out
saying " ...
do you want to resend the...."
the username and the password were reclaimed back from the cookie, and
i got back to my site without being
authenticated...
Back to top
J.O. Aho

External


Since: May 31, 2006
Posts: 2034



(Msg. 2) Posted: Thu Oct 02, 2008 7:23 pm
Post subject: Re: cookie deletion upon logging off in php
Archived from groups: per prev. post (more info?)
jayadiesel DeleteThis @gmail.com wrote:
> i have developed a localhost site utilizing session with cookie. i
> found this issue somehow:
> after navigating for some time, soon i wanted logging out (and
> inherently deleting session with session_destroy()).
> To my surprise, when i press back button and dialog window popped out
> saying " ...
> do you want to resend the...."
> the username and the password were reclaimed back from the cookie, and
> i got back to my site without being
> authenticated...

Try this instead:

When you recive the logout, do

$_SESSION=null;
session_destroy();
header('Location: '.£urltofirstpage);

First of all, you are cleaning out the data in the session,
and the redirect with header will ensure that you won't get the question about
the "reposting". Killing a cookie needs a page extra to really it to be killed.

--

//Aho
Back to top
jayadiesel

External


Since: Oct 02, 2008
Posts: 3



(Msg. 3) Posted: Fri Oct 03, 2008 2:31 pm
Post subject: Re: cookie deletion upon logging off in php
Archived from groups: per prev. post (more info?)
>
> $_SESSION=null;
> session_destroy();
> header('Location: '.£urltofirstpage);
>
> First of all, you are cleaning out the data in the session,
> and the redirect with header will ensure that you won't get the question about
> the "reposting". Killing a cookie needs a page extra to really it to be killed.
>
> --
>
> //Aho

my code goes here:

session_unset();
session_destroy();
header(location: "../login.php");
yet it rendered no help. keep pressing back button and when the
browser offered 'repost'
i still could get in. moreover in one event when the browser ended
inadvertently, on next start the browser
offer to restore previous session, i still get back to my site. i
don't know if this is browser-specific issue or php.
I used session_regenerate_id() after session_start()..
Back to top
jayadiesel

External


Since: Oct 02, 2008
Posts: 3



(Msg. 4) Posted: Fri Oct 03, 2008 2:36 pm
Post subject: Re: cookie deletion upon logging off in php
Archived from groups: per prev. post (more info?)
> $_SESSION=null;
> session_destroy();
> header('Location: '.£urltofirstpage);
>
my code is somewhat similar
session_unset();
session_destroy();
header("location: ./login.php");
on one event when the browser crash or got kill, and when i restart
the browser it offered to restore previous session i could get in
passing the authentication.. i wonder if this is browser specific
issue ( i used mozilla)
Back to top
J.O. Aho

External


Since: May 31, 2006
Posts: 2034



(Msg. 5) Posted: Sat Oct 04, 2008 3:09 am
Post subject: Re: cookie deletion upon logging off in php
Archived from groups: per prev. post (more info?)
jayadiesel.DeleteThis@gmail.com wrote:
>> $_SESSION=null;
>> session_destroy();
>> header('Location: '.£urltofirstpage);
>>
> my code is somewhat similar
> session_unset();
> session_destroy();
> header("location: ./login.php");

You haven't ensured that the session is empty, just using destroy by itself
won't do the trick and it seems to be needed to kill the cookie itself too.

http://www.php.net/manual/en/function.session-destroy.php

session_unset() should only be used with PHP 4.0.6 or earlier.


> on one event when the browser crash or got kill, and when i restart
> the browser it offered to restore previous session i could get in
> passing the authentication.. i wonder if this is browser specific
> issue ( i used mozilla)

All mozilla browsers should drop the session cookies when they been closed,
not sure how it is when they are restoring, could be set with about:config and
change the right setting.

But see to empty the session variable and kill the cookie too, even if you get
a repost request at going back, then you should have at least got rid of the
session.

--

//Aho
Back to top
Display posts from previous:   
       Webmaster Forums (Home) -> PHP MySQL
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum