Hi. I have a logout page that supposedly destroys all session and sends the user to the login page.

I am using this as my logout code

<?
// logout.php - destroys session and returns to login form

// destroy all session variables
session_start();
session_destroy();

// redirect browser back to the index page. If the log out worked then the index page will kick them to the login.php page because there will be no session data.
header("Location: index.php");
?>

Now, when I run this page it does kick the user to the login.php page, which makes it appear as though the session data has been destroyed. However, when you hit the browsers back button, you go right back to the page you were at as though you are still logged in:mad: You can refresh the page and still stay logged in. Now, I know my checklogin.php page works correctly because if you try to navigate to any pages without having logged in it will kick you out as it is supposed to. But when I use the logout page you can navigate back to the other pages as thoug you are still logged in.

Any idea what's going on here?

Thanks!😃

    Well, you should destroy the session variables before destroying the session.

    session_start();
$_SESSION = array();
session_destroy();
header("Location: index.php");

    Then just make sure you are checking for the variables on the other pages. If you hit back and it still comes up after that, it's most likely a cache. So if they try doing anything from there, it should error on them saying they aren't logged in.

      Hmm, that isn't working either.

      Here is my checklogin page and log out page.

      <?php
// checklogin.php
// checks to see if user is logged in
session_start();
if (!$_SESSION['SESSION_UNAMEMAIN']){
	// if session check fails, invoke error handler
	header("Location: Login.php");
}else{
  header("Cache-Control: no-cache, must re-validate");
  header("Pragma: no-cache");
  header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
}
?>

      Log out page

      <?
// logout.php - destroys session and returns to login form

// destroy all session variables
session_start();
$_SESSION = array(); 
session_destroy();

// redirect browser back to login page
header("Location: index.php");
?>

        I've recently dealt with this problem. You want to ALWAYS start with session_start(). Then check to see if you have any variables that have been set...If they are, you unset them and destroy your session. Otherwise, nothing has been set, so do something, such as login to a page. Look the syntax over, and I hope this helps.

        Mike

        <?

        // Start the session
        session_start();

        //Check to see if your session variables have been set

        if ( !isset($_SESSION['variable1']) AND !isset($SESSION['variable2']) )
        {
        // If they're not set, redirect the user to do something, such as login
        header ("Location:login.htm");
        }

        // Otherwise, the variables are set, so you want to unset them
        else
        {

        // Unset the session variables
        unset($SESSION['variable1']);
        unset($        SESSION['variable2']);

        // Once the variables are unset, you can safely destroy the session
        session_destroy();

        }

        ?>

          Unset isn't working either. I also changed the checklogin age to check to see if it is set.

          <?php
// checklogin.php
// checks to see if user is logged in
session_start();
if (!isset($_SESSION['SESSION_UNAMEMAIN'])){
	// if session check fails, invoke error handler
	header("Location: login.php");
}else{
  header("Cache-Control: no-cache, must re-validate");
  header("Pragma: no-cache");
  header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
}
?>

          <?
// logout.php - destroys session and returns to login form
// destroy all session variables
session_start();
unset($_SESSION['SESSION_UNAMEMAIN']);
$_SESSION = array(); 
session_destroy();

// redirect browser back to login page
header("Location: index.php");
?>

          any idea? Thanks.

            Let's see....

            Logic goes as follows:

            1) Start the session

            2) If your session variables are not set, you will prompt the user to log-in, for this page can not be reached by manually typing the URL in the browser

            3) If your session variables ARE indeed set, unset them, and then destroy the session.

            <?php

            // Start the session
            session_start();

            // Check to see if the variables are set
            // If they are not, re-direct them to a login page
            if (!isset($_SESSION['SESSION_UNAMEMAIN']))
            {
            header ("Location:"login.php");
            }

            // Otherwise, unset the variables, destroy the session, and then define your headers

            else
            {
            //Unset your variable
            unset($_SESSION['SESSION_UNAMEMAIN']);

            //Destroy the session
            session_destroy();

            // Define your headers
            header("Cache-Control: no-cache, must re-validate");
            header("Pragma: no-cache");
            header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");

            }

            ?>

            It is always good to think of sessions in this way...If a session isn't set, do this....If a session is set, do that...

            Give this a shot, and let me know how you're doing...Also, a tutorial you might want to read up on if you're having trouble...

            www.phpfreaks.com/tutorials/41/0.php

            Mike

              Isn't that what I am doing? If you look at my code posted above, you can see that I am using "Unset" and "Isset" properly. I am also erasing the SESSION array and using session_destroy.

              I am not sure what other way I can attemp to dispose of this session variable. However, even with all of that the page still loads when it shouldn't.😕

                Write a Reply...