Sessions

**xtiano77** · 03-29-2009, 05:51 PM

I am trying to set up a page using "sessions", but after I logout of the site, I click the back button and it still lets me into the previous pages although the logout page was supposed to unset the $_SESSION["variable"]. Below is an example of the code I am using:

*****************************************************************

Confirmation after login page:

[CODE]
$username = trim($_POST["username"]);
$password = trim($_POST["$password"]);

$db = mysql_connect("....",".....","...");
$selected_db = mysql_select_db("...",$db);
$recordset = mysql_query("SELECT * FROM tablename WHERE user = '".$username."' AND password = '".sha1($password)."'",$db);
$rows = mysql_num_rows($recordset);

if($rows > 0){
session_cache_expire(10);
session_start( );
require("filename.php");
$page = new pageclass( );
$page -> function1( );
$page -> function2( );
$page -> function3( );
}

Subsequent pages:

if($_SESSION["username"]){
session_cache_expire(10);
session_start( );
//code... ... ...
//code... ... ...
}

Logout page:

session_cache_expire(0);
session_unset($_SESSION["username"]);
//code ... ... ...
//code ... ... ...
[CODE]

*****************************************************************

Would it work better if I establish a $_SESSION variable for the password as well and perform a database authentication on each page that is loaded? Is this how sessions are meant to be used? As always, thanks in advance for your help.

**Schmoopy** · 03-29-2009, 07:58 PM

You should look more into sessions on php.net.

The session_unset() as a function does not accept any parameters so you just use it as it is:

PHP Code:


session_unset();

Putting a variable as one of the arguments will still clear all others:

PHP Code:


session_unset($variable);

It unsets all variables so you don't need to specify a single variable.

There is more information on this on the page linked above, but if you really want to clear the sessions cache here is the code to be 100% sure:

PHP Code:


session_unset();
session_destroy();
$_SESSION = array();

In firefox, session_unset works, but in IE for example the session data is still there, session_destroy() in itself is better for what you want but try using the code above and see if that solves your problem.

Make sure you look at the php.net manual too, it's a great resource for problems like this

**JasonDFR** · 03-29-2009, 08:04 PM

After pressing the back button to see the protected content you think you have logged out of, press the refresh button. After pressing refresh, do you still have access to the protected content?

I think you should also be calling session_destroy() and expriring the session cookie:

PHP Code:


session_destroy();

setcookie("PHPSESSID","",time()-3600,"/");

**the moose** · 03-29-2009, 09:47 PM

remember that sessions are not 100% stable (out of the box!) switching between http and https...

**xtiano77** · 03-30-2009, 12:31 AM

I tried placing the first and second sections of code, but I still able to view the pages after clicking on the back button. I also tried the refresh button, but it still showed me the pages. Npw, as far as the SSL, I don't know and I am not using SSL, but I am going to take a short tutorial in a little bit. I know that is a little bit not to sound stupid, but do I need SSL in order to use sessions? Would it be better/more efficient to verify the $_SESSION["variable"] against the database on each page?

[CODE]
session_cache_expire(10);
session_start();
if($_SESSION["verification"] == $_SESSION["password"]){
$supplements = new pageclass();
$supplements -> externalscript = "../scripts/default";
$supplements -> localscript = "";
$supplements -> stylesheet = "../css/default";
$supplements -> pagetitle = $supplements -> pageheader = "Nutritional Supplements";
$supplements -> contents = underconstruction();
$supplements -> displayhtml();
}else{
session_unset();
session_destroy();
$_SESSION = array();
redirect("../deniedlogin.php");
}
[CODE]

[CODE]
if($_SESSION["verification"] == $_SESSION["password"]){
session_cache_expire(10);
session_start();
$supplements = new pageclass();
$supplements -> externalscript = "../scripts/default";
$supplements -> localscript = "";
$supplements -> stylesheet = "../css/default";
$supplements -> pagetitle = $supplements -> pageheader = "Nutritional Supplements";
$supplements -> contents = underconstruction();
$supplements -> displayhtml();
}else{
session_unset();
session_destroy();
$_SESSION = array();
redirect("../deniedlogin.php");
}
[CODE]

**JasonDFR** · 03-30-2009, 06:54 AM

You do not need SSL to use sessions.

Use the code below to "logout." When you use the back button after logging out, you should not have access any longer.

PHP Code:


session_start();

$_SESSION = array(); // or just unset the session variable you are using to control access unset($_SESSION['username']);

session_destroy();
setcookie("PHPSESSID","",time()-3600,"/");

NOTE!! This is very important. Whenever testing code that uses cookies or sessoins, always "Clear Private Data" from your browser in between testing different code. In Firefox it is under TOOLS, Clear Private Data.

To answer your question about querying your db on every page visit, no, you don't have to do this. Once you have authenticated a user and set a session variable to identify them, you can just test for the presence of this session variable when deciding to allow or disallow access to certain pages.

Also, I really don't understand what session_unset() does. PHP.net says "The session_unset() function frees all session variables currently registered. " I don't know what they mean by "frees."

**gurmeet** · 03-30-2009, 09:39 AM

use the following statement:

if(session_is_regisered['sessionVariable'])
{

Satements;
}

session_destroy();

for better

**Schmoopy** · 03-30-2009, 01:24 PM

session_is_registered, along with other functions that use register such as:

session_register
session_unregister

Are all deprecated

It says on the site not to use them as they have been replaced with other functions, these functions are being removed by the time PHP 6.0 comes out.