Login problem

4ebura6ka

Hello,

I've created a login script:

index.php

<?
   session_start();   

   if (!isset($_SESSION['username']))
   {
     $username = trim($_POST["username"]);
     $userpass = trim($_POST["userpass"]);
     $submit = trim($_POST["submit"]);

 if ((!empty($submit)) && (!empty($username)) && (!empty($userpass))
 {
    if (($username == "admin")  && ($userpass == "admin"))
    {
       $_SESSION['username'] = $username;
       echo <<<END
         <script>
           location.href="index.php?action=main";
         </script>
END;
        }
        else
        {
           echo <<<END
             <html>
             <body>
             <form action="index.php" method=POST>
               <input type="text" name="userpass" value="$userpass">
               <input type="password" name="userpass">
               <input type="submit" name="submit">
             </form>
             </body>
             </html>
END;
        }
     }
   }
   else
   {
      $action = trim($_POST["action"]);

  if ($action == "main")
  {
    echo "Secured Page <a href=\"index.php?action=logout\">Logout</a>";
  }
  elseif ($action == "logout")
  {
     $_SESSION['username'] = array();
     session_unset(); 
     session_destroy();
     echo <<<END
         <script>
           location.href="index.php";
         </script>
END;
      }   

   }
?>

The problem rise when I logout. The script returns me to the login form. I press "Back" button in IE. Browser asks me if I would like to refresh page. If Yes, then it shows me "Secured page". I don't know what to do...

I've tried:
1) To experiment with header:
html>
<head>
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="no-cache">
<meta http-equiv="Expires">
<meta http-equiv="Cache-Control" content="no-cache">
2) Disable cookies, but then doesn't work IE;

Help me, please...

Ceril

Hmm,

Try this one:
$_SESSION=array();
session_destroy();
header("location: index.php");
die("<script>\nlocation.href=\"index.php\";\n</script>\n");

instead off:
$_SESSION['username'] = array();
session_unset();

session_destroy();

4ebura6ka

I think that the problem in IE. Because it wrote:

The page you requested was created using information you submitted in a form. This page is no longer available. As a security precaution, Internet Explorer does not automatically resubmit your information for you.

To resubmit your information and view this Web page, click the Refresh button.

When I click Refresh, it takes the values were submited. Parameters are equal, that is why it creates session...

Ceril

Yes, clicking refresh may have that effect depending on structure :-)

leatherback

Hi,

After you unset your session variables, set a session variable "time" with the log-out time. In your login for you can add a hidden variable "time" which you can then compare against the logout time. If the data from the form were generated befoer the logout, you do not allow a new login