Need help with my logout script

tomattomat

I have a problem with my logout script. Whenever, I logged out, i press 'back' on my browser, refresh it, and voila, the content of my member page can be viewed instead of a warning.

Here is my logout script. Thanks for taking a look at this, everyone.

<?php
session_start ();
require_once ('all_fns.php');

display_header ();
?>

</table>
</center>

<?php
$old_user = $HTTP_SESSION_VARS ['valid_user'];
// store to test if they were logged in

session_unset();
$result_dest= session_destroy ();

if (!empty ($old_user))
{
if ($result_dest)
{//if they are logged in and are now logged out
display_logout_statement ();
}
else
{//they were logged in and could not be logged out
echo ' Could not log you out.';
}
}

else
{
//if they weren't logged in but come to this page somehow
echo '<b><p align="center"> You are not logged in and so are not logged out.</p></b>';
}

RossC0

Is the page cached in the browser?

i.e. if you hit <ctrl> f5 - does it still display?

tomattomat

When i logged out and hit CTRL F5, my warning message appears.

However, if i pressed 'back' and refresh it (my member.php page), it shows the page where I am still logged in instead of showing an error message.

In normal logout situation, let's say for an email, once I logged out and press back, I won't be able to view the content of my email ;-0

RossC0

You'll need some cache headers at the top of your pages - to ensure they are not cached. ie:

<?php
header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
header('Cache-Control: no-store, no-cache, must-revalidate');
header('Cache-Control: post-check=0, pre-check=0', FALSE);
header('Pragma: no-cache');
?>

Or you could go down the mvc road and go through a control file - which controls what is loaded and displayed to screen. i.e. Index.php?do=logout

Which checks the URL do variable and uses a switch to determine what to load output. You coud use this with the session to see if they are logged in...

tomattomat

Hi. This is my logout.php looks like. The problem is still there. I'm not sure if I should use the date () function instead of a definite date here.

<?php
session_start ();

header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
header('Cache-Control: no-store, no-cache, must-revalidate');
header('Cache-Control: post-check=0, pre-check=0', FALSE);
header('Pragma: no-cache');

require_once ('all_fns.php');

display_header ();
?>

The rest is unchanged as previously shown.

RossC0

Ok the problem isn't your logout page caching!

Its your other pages!
So you will need the headers in them - to ensure they aren't cached!

tomattomat

Hi, let me show you my member.php. I have included your header in it and so far it still has the same problem. Thanks for your patience.

<?php
session_start ();
header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
header('Cache-Control: no-store, no-cache, must-revalidate');
header('Cache-Control: post-check=0, pre-check=0', FALSE);
header('Pragma: no-cache');

require_once ('all_fns.php');

$username = $HTTP_POST_VARS ['username'];
$passwd = $HTTP_POST_VARS ['passwd'];

display_header ();

</table>
</center>
   

<?php
if ($username && $passwd)
{

if (login ($username, $passwd))
{
// if they are in the database, register the ID.
$HTTP_SESSION_VARS ['valid_user'] = $username ; 
display_member ();
exit ();
}
else
{
//unsuccessful login
echo '<p align="center"> <b>You could not be logged in. You must be logged in to view this page.</b></p>';
display_login_form ();	
exit ();

}

}

display_notloggedout ();

?>
<br/> <br/>

</html>

RossC0

OK - no worries, its probably not the headers then! (sorry!).

When you click back do you get a popup about posted variables? What browser are you using to test it?

In your member script you are accessing the username and password from posted variables.

Then I take it you are checking against the database for the user using the username and password. Then you are creating a session variable - to let the user have access.

If you destroy the session variable and click back in the browser - you may be reposting the username and password - as if the user had posted the login form and reactive the login!

Does that sound like whats happening?

tomattomat

Hi. Sorry. I am not quite sure what's happening. But here is what I am aware of.

I logged in into member.php and then i click logout. The screen logout.php tells me that I've logged out succesfully. So far so good. But then, when i press 'back' on my browser, it would bring me to member.php page. I 'refresh' it and then member.php shows that I'm still logged in.

Normally, if you access your email or other session pages, when you press back and refresh, it would show that you cannot access the page. In this case, I can.

Hope it is clearer now.

tomattomat

Oh btw, i'm using internet explorer 5.0, i think

Rodders

You say that you log in then log out straight away, right ?

I think what's happening is that when you press 'back' the browser goes back to the previous page. When you press refresh, it doesn't just reload the URL, it actually refreshes based on various stuff in the HTTP headers I believe - including any variables POSTed from the login script.

Therefore, when you refresh it will automatically know your login information. If that's the case, you haven't really got a problem.

Here's one way to test it.

Login
Go to a different page on your site
Click on a link back to member.php - should still read logged in
Logout
Click 'back' button
Now refresh. My guess is that it won't login again

tomattomat

Well, when i did step 3, i can't access my member.php. It shows display_notloggedout () function.

Oh, this is frustrating. If anyone can have a simpler logout function that works, please let me know and share it with me please. My login only consists of login.php, member.php and logout.php.

Thanks 🙂

RossC0

ok - it is reposting the variables, when you refresh.

Just to clarify - what happens when you press back - with out the refresh ??

If it displays you are not logged in - then what you need to do is redirect the user to a new page using:

header("Location: http://www.example.com/");

Instead of just saying you are logged out.

This way when the press refresh - they refresh teh not logged in page.

tomattomat

Ok. I logged in, I am in the members page now. I logged out. So far so good.

When i pressed back, it will shows:

<< "Warning. Page has expired. The page you requested was created using information you submitted in a form. This page is no longer available. As a security precaution, Internet Explorer does not automatically resubmit your information for you.

To resubmit your information and view this Web page, click the Refresh button. ">>

When, i refreshed, It brings me to member.php of the page showing that I'm still logged in.

So, what should i do if what you said is true on your previous post?

thanks a lot for your patience