I am having trouble with session_destroy().
When the User press Log out it have to destroy the session. I wrote the following code:
Logout.php
<?php
session_start();
session_destroy();
header("location: LoginViewController.php");
?>
After pressing log out, when I press the browser back button it is showing my previous Logined user page and session username in Login.php page
Login.php
<?php
session_start();
$_SESSION['user']= $_GET['username'];
echo '"<div style="background:white; text-align:right"> Login as:'.$_SESSION['user'].'</div>"';
echo '<a href="Logout.php" style="text-align:right">Logout</a>';
LoginViewController.php
<?php
header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT");
$Username = $_POST['uname'];
$Password = $_POST['pwd'];
$User_Type=$_POST['type'];
If (!(empty($Username) && empty($Password) && empty($User_Type))){
$model = new UsersModel();
$rowsCount = $model->checkUser($Username,$Password,$User_Type);
if ($rowsCount!=0){
header("location:login.php?username=".$_POST['uname']."");
} else {
echo '<script type="text/javascript">alert("Enter username and password correctly");
window.location.href="LoginViewController.php";</script>';
}
}
I don't know why it is working like that.
Please help me to find out where i commit mistake.
I want to disable that browser back button after logout.
login.php page :
<?php
if (isset($_POST['uname'], $_POST['pwd'], $_POST['type'])) {
$Username = $_POST['uname'];
$Password = $_POST['pwd'];
$User_Type=$_POST['type'];
if (!(empty($Username) || empty($Password) || empty($User_Type)))
{
$model = new UsersModel();
$rowsCount = $model->checkUser($Username,$Password,$User_Type);
if ($rowsCount!=0)
{
$_SESSION['user'] = $Username;
header("Location:LoginViewController.php");
} else {
echo 'Bad user';
}
} else {
echo 'Please, fill all inputs';
}
} else {
echo 'Bad form sent';
}
?>
<form name="f1" method="POST" action="" >
// inputs
</form>
LoginViewController.php :
<?php
header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT");
if (!isset($_SESSION['user'])) {
header('Location: login.php');
exit();
}
echo 'You have successfully logged as '.$_SESSION['user']
?>
And add the headers to force the browser to revalidate the pages :
logout.php :
<?php
session_start();
session_destroy();
$_SESSION = array();
header("location: login.php");
?>
You should do a redirect from your logout script.
For example:
header("Location: index.php");
You if user hits back next time, it'll go to the logout.php page again, where you can do the check again and redirect again :) It's an infinite loop if the user tries again.
This is caused by the browser cache that is keeping details in the page, if you refresh the page or you move any further in your private area you will be prompted to login page and you will not be able to see anything, assuming that your login check system is correctly configured.
You can otherwise force the browser to not cache the page and have a new request to the server for the page
header("Cache-Control: private, must-revalidate, max-age=0");
header("Pragma: no-cache");
header("Expires: Fri, 4 Jun 2010 12:00:00 GMT");
if (window.history) {
window.history.forward(1);
}
header("Cache-Control: private, must-revalidate, max-age=0");
header("Pragma: no-cache");
header("Expires: Fri, 4 Jun 2010 12:00:00 GMT");
Here is my LoginController.php
<?php
header("Cache-Control: private, must-revalidate, max-age=0");
header("Pragma: no-cache");
header("Expires: Fri, 4 Jun 2010 12:00:00 GMT");
//If you are submitting the form insert the details into database
$Username = $_POST['uname'];
$Password = $_POST['pwd'];
$User_Type=$_POST['type'];
session_start();
If (!(empty($Username) && empty($Password) && empty($User_Type)))
{
$model = new UsersModel();
$rowsCount = $model->checkUser($Username,$Password,$User_Type);
if ($rowsCount!=0)
{
$_SESSION['user'] = $Username;
header("location:login.php");
} else
{
echo '<script type="text/javascript">alert("Enter username and password correctly");
window.location.href="LoginViewController.php";</script>';
}
}
}
?>
Here is my after Login page(login.php).. and displays the session user name and logout link
<?php
header("Cache-Control: private, must-revalidate, max-age=0");
header("Pragma: no-cache");
header("Expires: Fri, 4 Jun 2010 12:00:00 GMT");
session_start();
if(!isset($_SESSION['user']))
{
header('Location: LoginViewController.php');
exit();
}
echo '"<div style="background:white; text-align:right"> Login as:'.$_SESSION['user'].'
<a href="Logout.php" style="text-align:right">Logout</a></div>"';
?>
Here is my Logout.php
<?php
header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT");
session_start();
session_destroy();
header("Location: LoginViewController.php");
?>
Try this code on all pages except login page and login validation page.
session_start();
if (!$_SESSION['sesuname']) {
echo "You are not logged in.";
exit();
} else {
/* All other codes must be here */
}