Hi there,
A couple of days ago, I implemented some session management (so a user can login and logout).
This all seems to work fine until after logging out, I pressed the back-button of the browser. As far as I can remember from quite some time ago (older PHP), of what happened now, did not happen then.
Let's first explain what I do.
On login, start a session:
session_start();
$_SESSION["var1"] = $value;
// and some more session variables
When someone accesses a page (so after login, the check is like this):
session_start();
if(isset($_SESSION["var1"]) && isset($_COOKIE[session_name()])) {
// Some more checking of the values
}
When logging out, destroy the session:
session_start(); // start so the session data can be removed
$_SESSION = array(); // Clear variables
setcookie(session_name(),"",0,"/"); // Remove the cookie from the clients browser
session_destroy(); // Destroy the session so it is removed.
header("Location: index.php"); // redirect
Everything works fine, so if you're logged out, you can't visit pages anymore (the cookie is removed); unless the back-button of the browser is clicked, which returns to the previous page after the logout.
And that is where it goes wrong. All pages in the session are nocache first of all (php.ini) and I tried overriding the setting manually as well (didn't help). The browser returns and now the most strange thing happens.
The page is parsed and executed again, and a NEW session is started, containing the OLD data of the old session. This all I could see due to the change of the number of the session. As well as after logout the original session-file (in .../tmp) is actually DESTROYED, it is removed from the directory. But after the back-button press a new file has appeared, with a new number, but with the old values of the destroyed session.
Perhaps my session-checking is wrong, but checking the cookie variable before starting a session does not help. The browser appears to send an old cookie (when back is pressed), as the $COOKIE[session_name()] does contain a new value as well as the $GET[session_name()] at the same time.
This behaviour seems to be very odd to me, as after ending a session, it should be really ended, that seems to be most logical and not start a new one with the old values.
I experienced this strange behaviour on Windows XP, Apache 1.3.26 with PHP 4.2.2 as SAPI. A friend of mine (after I told him) experienced the similar problem on Linux, with Apache 1.3.26 and PHP 4.2.3.
For the browsers it happened in all of them I tried (Mozilla, IE..).
I hope someone can shed a light onto this. Maybe I am doing something wrong? Or is it perhaps a bug? Or ..?
Thank you for your time!
Martijn
