I have a study logout.php file which works fantastically, the issue I am faced with however is putting the script into a new 'intranet style' administrative site which uses 4 frames within a frameset (header, left, center, right).
There are two requirements I need to meet which I am having a very difficult time finding a solution to (yes I know frames suck for today's consumer sites but to reiterate, this is for an internal system administration panel with widgets everywhere).
When a user clicks the 'logout' button in the top frame, the ENTIRE page is directed to logout.php which then redirects to a single page "home.php". As of now, hitting logout only takes that particular frame to my desired destination.
When a user logs in, a SESSION variables is created and set to true; if pages are visited without SESSION[validated]= true, the user is logged out. Similarly to above, IF this happens, I need the ENTIRE frameset directed to logout.php.
I am trying to achieve this without javascript (as this can obviously simply be disabled and JS is not a true measure for security).
Anybody ever dealt with this issue in the past?
Is the logout button a link? If so, can't you use target="_parent" to make it change the page with the frameset?
Edit
Re #2: If the session is timed out, you could make an intermediary page with a link that uses target=_parent and the JavaScript below, both of which would break out of the frame.
<script type="text/javascript">
if (top.location != self.location) top.location = 'login.php'
</script>This is good because if they have JavaScript enabled, they won't even notice and if they don't, they still will break out of the frames.
Solution to part 1:
Make a logout button like this:
<a href="/logout.php" target="_top">logout</a>
Then make logout.php do all the hard work for logging out (probably just clearing the session), and then redirects the user to the proper frameset (use PHP's header command for redirecting).
Solution to part 2:
This should not randomly happen. If you login, your session is set to validated = true. You do not "encounter" a page where your sessions happens to be otherwise.
However, you could include a PHP file (or if you have been smart enough to do so, make this happen in your single point of entry) to redirect to a logout page if your session is somehow invalidated. See 1 above.