problem with logout script in php

Question

I'm a beginner in php, and I am trying to create a login and logout. But I am having problems in logging out. My logout just calls for the login form which is this:

<?
session_start();
session_destroy();
?>
<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form name="form1" method="post" action="checklogin.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td colspan="3"><strong>Member Login </strong></td>
</tr>
<tr>
<td width="78">Username</td>
<td width="6">:</td>
<td width="294"><input name="myusername" type="text" id="myusername"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="mypassword" type="text" id="mypassword"></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td><input type="submit" name="Submit" value="Login"></td>
</tr>
</table>
</td>
</form>
</tr>
</table>

My problem is, when I try to press the back button in the browser. Whoever user is using it can still access what is not supposed to be accessed when a user hasn't logged in. Do I need to add a code on the user page? I have this code on the user page:

<? 
session_start();
if(!session_is_registered(myusername)){
header("location:main_login.php");
}
?>

What can you recommend that I would do so that a script will prompt to enter the username and password again when a user clicks on the back button.

Answer 1

Unset the variable "myusername" using session_unset()

Answer 2

there are actually two problems... one is that the page may be cached in the browser; the second is that the page may be cached on the server. The more likely is actually is the first one. The best way is to have Pragma: NoCache: no-cache in the section of the page (IIRC, you need to statement; one for HTTP1.0 and one for HTTP1.1, and they require different statements). You need to put it on the pages that are only available for logged in (or at least the most sensitive ones). This will cause the browser to go back to the server.

The other is server caching, which is actually, less likely - you would probably know if you or, say, Zend optimizer did some caching. for this you can use session_unset or session_is_registered. But try Pragma first.

Answer 3

Some browsers also persist the webpage so that when you click the back button it "loads" immediately. Have you tried any other browsers.

Answer 4

Page 1: while login create a session variable for user

Like: session_start(); $_SESSION['user']=$userId;

Page2: when logout unset this session variable also

session_unregister(user); OR unset($_SESSION['user']);

Page 3: On the remaining pages where you want only logged-in user, use this type of check

if(!isset($_SESSION['user'])) { header("Location: loginPage.php"); exit(); }

Answer 5

Another little tidbit of information from php.net : session destroy

session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.

In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.

Answer 6

You've destroyed the session but are using a deprecated function, session_is_registered(), to check whether the user is still authorised. As you can see here, you should not be using this any more.

Instead when the user is authorized on the login page, set $_SESSION['user'] = true. You could also set it to some data about that user. For example, I like to register as much information about the user as possible to prevent querying the database a large number of times in the future.

Then this variable will be unset when you use session_destroy in your logout script. This means that in order to protect a page from a logged out user, you just need to include the following:

if(!isset($_SESSION['user'])) header("Location: main_login.php");

You should also protect your login page from logged in users so that they cannot login, whilst already being logged in:

if(isset($_SESSION['user']) && $_GET['action'] !== 'logout') header("Location: index.php")

This assumes you are using a query string on your login page to determine whether the user is trying to login or logout. If a logged in visitor wants to logout, they will have login.php?action=logout in their url and so will be allowed to logout. If not, they will be prevented from accessing the login page, as they have already logged in, and be sent straight to index.php (or wherever your protected section is).

If your login page is seperate from your logout page, you don't need the $_GET condition at all.