Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Sessions

  1. #1
    Join Date
    Sep 2008
    Location
    Midland, Texas
    Posts
    52
    Thanks
    16
    Thanked 0 Times in 0 Posts

    Default Sessions

    I am trying to set up a page using "sessions", but after I logout of the site, I click the back button and it still lets me into the previous pages although the logout page was supposed to unset the $_SESSION["variable"]. Below is an example of the code I am using:

    *****************************************************************

    Confirmation after login page:

    [CODE]
    $username = trim($_POST["username"]);
    $password = trim($_POST["$password"]);

    $db = mysql_connect("....",".....","...");
    $selected_db = mysql_select_db("...",$db);
    $recordset = mysql_query("SELECT * FROM tablename WHERE user = '".$username."' AND password = '".sha1($password)."'",$db);
    $rows = mysql_num_rows($recordset);

    if($rows > 0){
    session_cache_expire(10);
    session_start( );
    require("filename.php");
    $page = new pageclass( );
    $page -> function1( );
    $page -> function2( );
    $page -> function3( );
    }

    Subsequent pages:

    if($_SESSION["username"]){
    session_cache_expire(10);
    session_start( );
    //code... ... ...
    //code... ... ...
    }

    Logout page:

    session_cache_expire(0);
    session_unset($_SESSION["username"]);
    //code ... ... ...
    //code ... ... ...
    [CODE]

    *****************************************************************

    Would it work better if I establish a $_SESSION variable for the password as well and perform a database authentication on each page that is loaded? Is this how sessions are meant to be used? As always, thanks in advance for your help.
    Last edited by xtiano77; 04-01-2009 at 02:40 AM.

  2. #2
    Join Date
    Sep 2008
    Location
    Bristol - UK
    Posts
    842
    Thanks
    32
    Thanked 132 Times in 131 Posts

    Default

    You should look more into sessions on php.net.

    The session_unset() as a function does not accept any parameters so you just use it as it is:

    PHP Code:
    session_unset(); 
    Putting a variable as one of the arguments will still clear all others:
    PHP Code:
    session_unset($variable); 
    It unsets all variables so you don't need to specify a single variable.

    There is more information on this on the page linked above, but if you really want to clear the sessions cache here is the code to be 100% sure:

    PHP Code:
    session_unset();
    session_destroy();
    $_SESSION = array(); 
    In firefox, session_unset works, but in IE for example the session data is still there, session_destroy() in itself is better for what you want but try using the code above and see if that solves your problem.

    Make sure you look at the php.net manual too, it's a great resource for problems like this

  3. #3
    Join Date
    Apr 2008
    Location
    Limoges, France
    Posts
    395
    Thanks
    13
    Thanked 61 Times in 61 Posts

    Default

    After pressing the back button to see the protected content you think you have logged out of, press the refresh button. After pressing refresh, do you still have access to the protected content?

    I think you should also be calling session_destroy() and expriring the session cookie:

    PHP Code:
    session_destroy();
    setcookie("PHPSESSID","",time()-3600,"/"); 

  4. #4
    Join Date
    Mar 2009
    Posts
    7
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    remember that sessions are not 100% stable (out of the box!) switching between http and https...

  5. #5
    Join Date
    Sep 2008
    Location
    Midland, Texas
    Posts
    52
    Thanks
    16
    Thanked 0 Times in 0 Posts

    Default

    I tried placing the first and second sections of code, but I still able to view the pages after clicking on the back button. I also tried the refresh button, but it still showed me the pages. Npw, as far as the SSL, I don't know and I am not using SSL, but I am going to take a short tutorial in a little bit. I know that is a little bit not to sound stupid, but do I need SSL in order to use sessions? Would it be better/more efficient to verify the $_SESSION["variable"] against the database on each page?

    [CODE]
    session_cache_expire(10);
    session_start();
    if($_SESSION["verification"] == $_SESSION["password"]){
    $supplements = new pageclass();
    $supplements -> externalscript = "../scripts/default";
    $supplements -> localscript = "";
    $supplements -> stylesheet = "../css/default";
    $supplements -> pagetitle = $supplements -> pageheader = "Nutritional Supplements";
    $supplements -> contents = underconstruction();
    $supplements -> displayhtml();
    }else{
    session_unset();
    session_destroy();
    $_SESSION = array();
    redirect("../deniedlogin.php");
    }
    [CODE]

    [CODE]
    if($_SESSION["verification"] == $_SESSION["password"]){
    session_cache_expire(10);
    session_start();
    $supplements = new pageclass();
    $supplements -> externalscript = "../scripts/default";
    $supplements -> localscript = "";
    $supplements -> stylesheet = "../css/default";
    $supplements -> pagetitle = $supplements -> pageheader = "Nutritional Supplements";
    $supplements -> contents = underconstruction();
    $supplements -> displayhtml();
    }else{
    session_unset();
    session_destroy();
    $_SESSION = array();
    redirect("../deniedlogin.php");
    }
    [CODE]
    Last edited by xtiano77; 03-30-2009 at 01:07 AM.

  6. #6
    Join Date
    Apr 2008
    Location
    Limoges, France
    Posts
    395
    Thanks
    13
    Thanked 61 Times in 61 Posts

    Default

    You do not need SSL to use sessions.

    Use the code below to "logout." When you use the back button after logging out, you should not have access any longer.

    PHP Code:
    session_start();

    $_SESSION = array(); // or just unset the session variable you are using to control access unset($_SESSION['username']);

    session_destroy();
    setcookie("PHPSESSID","",time()-3600,"/"); 
    NOTE!! This is very important. Whenever testing code that uses cookies or sessoins, always "Clear Private Data" from your browser in between testing different code. In Firefox it is under TOOLS, Clear Private Data.

    To answer your question about querying your db on every page visit, no, you don't have to do this. Once you have authenticated a user and set a session variable to identify them, you can just test for the presence of this session variable when deciding to allow or disallow access to certain pages.

    Also, I really don't understand what session_unset() does. PHP.net says "The session_unset() function frees all session variables currently registered. " I don't know what they mean by "frees."

  7. #7
    Join Date
    Feb 2009
    Posts
    156
    Thanks
    0
    Thanked 4 Times in 3 Posts

    Default

    use the following statement:

    if(session_is_regisered['sessionVariable'])
    {

    Satements;
    }

    session_destroy();


    for better

  8. #8
    Join Date
    Sep 2008
    Location
    Bristol - UK
    Posts
    842
    Thanks
    32
    Thanked 132 Times in 131 Posts

    Default

    session_is_registered, along with other functions that use register such as:

    session_register
    session_unregister

    Are all deprecated

    It says on the site not to use them as they have been replaced with other functions, these functions are being removed by the time PHP 6.0 comes out.

  9. #9
    Join Date
    Sep 2008
    Location
    Midland, Texas
    Posts
    52
    Thanks
    16
    Thanked 0 Times in 0 Posts

    Default

    JasonDFR,

    Do I have to set the cookie myself or does the session_start( ) automatically creates it for me?

  10. #10
    Join Date
    Apr 2008
    Location
    Limoges, France
    Posts
    395
    Thanks
    13
    Thanked 61 Times in 61 Posts

    Default

    session_start() creates the cookie. You only need to make it expire.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •