Maybe I'm using the wrong method but I need to destroy all session related data when the user closes or navigates away from my page. I have session_destroy(); at the end of my script but when I close the browser and go back, it remembers my session data and logs me into the secured area.

session_start(); is called in an included header file and session_destroy(); is called in an included footer file. The login process sets the 2 session variables as follows:

if(strtolower($username) === strtolower($mgr['username']) && $password === $mgr['password']){
							$_SESSION['username'] = $username;
							$_SESSION['password'] = $password;
							header("Location: admin.php");
						}else{
							echo "Invalid username and/or password.<br />Click <a class='adminLink' href='javascript:history.go(-1);'>here</a> to login in.";
					}

    Try doing a $_SESSION = array(); too, in order to clear it so that its current data does not get written back to the session data file when the script terminates. You could also expire the session cookie. See the Example #1 on the [man]session_destroy[/man] page for a suggested way to terminate a session.

      Thanks Nog! The manual page for $SESSION was the first place I looked. I tried setting the entire array to an empty array but that didn't work. I tried adding the cookie expiration but I was confused about why it called the $COOKIE(session_name)). I didn't name my session. What do I replace that with?

        The session processing sets a cookie with a name which is a generated pseudo-random session ID when the session is first created. So in that example you are manually setting the cookie's expiration time by using the session_name() function to get the applicable session name

        You should therefore be able to pretty much just copy and paste that example directly into your code, as it automatically determines the session name. Remember that none of this will have any effect, though, unless you first do a session_start();

          Didn't work. Any other ideas?

            Got it. I f'd up on the way I check for the sessions. I used them to define a class but was checking for them all wrong. I corrected that so the session data emptied correctly on page close I just wasn't using my definition right.

              Write a Reply...