php sessions

jacquesy

I have sessions working on my website, a user canlog in and out of, this is fine as it diverts back to the login page when the log out option is selected.

The problem is when the user clicks on the main browser back button a "page has expired" page appears, again this is fine but it states that the user is able to click refresh and the page reappears as if the user had never loged out? This obviosly isnt very secure.

Is this normal?

Thanks.

sijis

yes, i believe that occurs especially when they 'logout' from your website, you don't destroy the session.

so in your code you'd do something like this.

if($logoff_button){
session_destroy();
header("http://www.domain.com/main.php");
}

that way, even if they do go back using the browsers back button and hit refresh they don't have a session and your page should prompt the user a login screen or similar page.

What i did was create a session called 'logged_in' and its checked throughout the 'member' pages and when the user logs off my site, that session is destroyed, so the session doesn't exist. So if the user tries to go back they can't.
In my code i have

if(!$_SESSION['logged_in']){
header("http://www.domain.com/login.php");
}

HTH.