PHP Classes

Logout failure

Recommend this page to a friend!

      Access user Class  >  All threads  >  Logout failure  >  (Un) Subscribe thread alerts  
Subject:Logout failure
Summary:Still able to access secure pages after logout.
Messages:4
Author:Adam Liberman
Date:2005-09-05 20:11:51
Update:2005-09-05 22:32:04
 

  1. Logout failure   Reply   Report abuse  
Picture of Adam Liberman Adam Liberman - 2005-09-05 20:11:51
Hi,

I was experiencing exactly the same problem described in an earlier post:
After logging out, the script directs me as intended back to the login page. However, if I type in the URL of a secure page in the browser, it opens and says that I am still logged in.

I looked at the cookie manager in Firefox (but same problem was happening in IE6.0) and discovered that the sesssion cookie was not getting deleted.

Further investigation at php.net solved the problem: If you have register_globals enabled, and PHP is < 4.3, the log_out function code has to be changed as follows to work:

from:
unset($_SESSION['user']);
unset($_SESSION['pw']);

to:
session_unregister('user');
session_unregister('pw');

Just a suggestion that you might comment this in the code, or else add automatic detection for register_globals and PHP version to execute the alternate code.

Thanks,
Adam

  2. Re: Logout failure   Reply   Report abuse  
Picture of Olaf Lederer Olaf Lederer - 2005-09-05 21:10:37 - In reply to message 1 from Adam Liberman
Hello,

I know that someone posted other things on the same thread, but did you read all posts in this thread? There was an user error the source of the problem...

About session_unregister()

from the manual:

If $_SESSION (or $HTTP_SESSION_VARS for PHP 4.0.6 or less) is used, use unset() to unregister a session variable. Do not unset() $_SESSION itself as this will disable the special function of the $_SESSION superglobal.


It works for me on several locations and for a lot of users (more then 10000 downloads in the last 9 month)

The cookie is only removed if you close the browser, thats normal.

  3. Re: Logout failure   Reply   Report abuse  
Picture of Adam Liberman Adam Liberman - 2005-09-05 22:21:45 - In reply to message 2 from Olaf Lederer
Hi,

Thanks for the quick response!

I read the other entire thread, and I think the cause of that person's problem was different.

At any rate, here's what the PHP manual says (http://www.php.net/manual/en/ref.session.php), and after making only this change the problem was immediately solved.

Example 2. Unregistering a variable with $_SESSION and register_globals disabled.
<?php
session_start();
// Use $HTTP_SESSION_VARS with PHP 4.0.6 or less
unset($_SESSION['count']);
?>

Example 3. Unregistering a variable with register_globals enabled, after registering it using $_SESSION.
<?php
session_start();
// With PHP 4.3 and later, you can also simply use the prior example.
session_unregister('count');
?>

Thanks,
Adam

  4. Re: Logout failure   Reply   Report abuse  
Picture of Olaf Lederer Olaf Lederer - 2005-09-05 22:32:04 - In reply to message 3 from Adam Liberman
???

hmm, I use the class like it is on different servers with register_globals on and/or of, this can't be the problem, maybe some session settings (php.ini) ?