Topic awaiting preservation: PHP: Killing a session without closing the page... (Page 1 of 1)

I'm doing some authentication, and would like to provide a 'logout' button.

At the top of each page, I check for a session variable ($_SESSION['u_name']), and go from there to verify authentication. If it's not there, I prompt for a login. All works well.

However, when I try to kill off the session, I'm having a problem. Currently, I'm doing this:

session_start();
$current = session_id();
session_unregister('u_name');
session_unregister('f_name');
session_unregister('l_name');
session_unregister('p_word');
session_unset();
session_destroy();
session_start();

You'll notice I start a new session at the end. If I look at $current, and session_id(), they are the same! And, if I back up a page or two, I'm still logged in. Emperor has helped so far, but I'm still not able to get it to work. I know I can just close the window, but I'm trying to avoid that.

especially since closing the window might not help with browsers that share cookie data!

So, you've been using $_SESSION['u_name'] to acess your variable?
In that case, session_unregister won't do you any good.
Did you try unset($_SESSION['u_name'])) - that should reliably kill that variable.

you could also try to unset($_SESSION) and then do a session_id() with a new (random) id... but I'd try the plain unset variant first.

Edit: and since you're your own hoster, you probably could find out where php is storing the sessions, and unlink() the file ;-).
(should be in /tmp, which is world read-writeable, isn't it?)

[This message has been edited by Tyberius Prime (edited 10-12-2003).]

That's what's weird....

On my logout page, I run the above mentioned code. Then I echo back all of the variables. All are blank except for the session, which has the same value as the original session. So, I'm inclined to believe that the variables are getting unset. I just can't figure out why the session isn't terminated correctly....

I can issue session_id(123) and give it a new id, but that doesn't help. I'm trying to make sure that if I go back in my browser history and refresh the page, I should get prompted again. Right?



[This message has been edited by Pugzly (edited 10-12-2003).]

well, how about overriding it with an invalid value... like $_SESSION['u_name'] = false; ?

That doesn't work either..... :-(

I just don't see why this doesn't work. If I close the browser, it works fine. I just can't seem to kill the session, so that going back in the history causes me to have to login again..........

pugz, what happens when you set the $_SESSION['u_name'] to a different value... like from jean to john.

Does that work?

You are not mixing session_register and $_SESSION, are you?
Is register globals on or off?

Well, one of the major problem with this idea is that session_start() and session_destroy() are both primary headers. I don't think you can send one ofter the other and have it work properly...one simply cancels the other out and you end up in the same session.

But you can't destroy a session that's not initialized. You have to use session_start() in order to use session_destroy()

Setting $_SERVER['u_name'] to another value doesn't help.....

come in on that again: If you change $_SESSION['u_name'] to a different value, it is unchanged in the next page?
what? Are you certain you're not seeing pages your browser is caching? In that case - look up the pragma headers.

TP: I discussed that possibility with Pugzly the other day and he appears to have all the right headers in place to stop caching.

___________________
Emps

The Emperor dot org

Yep - I've got all the caching headers in place....

source of the logout page: http://staff.macombsheriff.com/auth/logout.phps

When I run this, all of the echos at the bottom are (correctly) empty except for the session id, which (incorrectly) is the same as the one at the top of the page. When I then hit the 'back' button, I still have access (which is based on $_SERVER['u_name'] having a correct value).

Feel free to try this yourself: http://staff.macombsheriff.com/index.php
user: ozone
pass: letmein

Once your logged in, go to the logout page and not the same session ID appears in both place. Then try going back to a previous page. Like the session info page.



[This message has been edited by Pugzly (edited 10-14-2003).]

BTW - I can provide access to all of the source if this would help.

Thanks!

Pugzly: Could you zip it all up so we can all have a try on some other boxes?

___________________
Emps

The Emperor dot org

works perfectly for me in opera - log out, go back (page still visible, cause cached), hit f5, session gone.

sure you got those pragma cache headers correct?

Not sure about this, but I've got a strong feeling that part of the problem lies with IE (as the test with Opera points to as well).

If I remember correctly IE sometimes keeps the sessions alive between browserinstances, meaning that if you are running an ie window (or an application that uses the ie-browser for preview) and then kick open a new window and test this you sometimes keep the session alive through the first window you had opened.

I've seen this several times where you actually have to close all your ie-instances to be 100% sure you are logged out.

As for the code, I basically use the same things to log in/out users, however I usually redirect away from the page on logout which works fine.

Is there some way to reload the window without any history/referrer information, that might help. Either that or do a quick redirect from logout to a "bounce page" that throws you back to the logout page.
/Dan

{cell 260}
-{ a vibration is a movement that doesn't know which way to go }-

download the source: http://staff.macombsheriff.com/staff.zip

Let me know if I can help any further.

Anyone? Bueller?

I'm thinking that the only way to really log out is to close the browser window....

okok, you bullied me into actually looking into the source now, pugzly ;-)

I believe it could have to do with using the http authentication mechanisms - something like the browser keeping on sending the username/password on each page(!).

Tell us something about the enviroment, pugz. Is it an apache? module or cgi (suexec?) ...

so long,

Tyberius Prime

LAMP - Linux, Apache 1.3.27, MySQL 3.23.54, and PHP 4.12 (module). If you contact me offline, I can send you to a phpinfo page for any other info.

This is driving me nuts....

I rewrote this, taking a different approach, but I end up with the same problem...

Each page includes a page that contains the following code:

<?php

function auth(){

	header('HTTP/1.0 401 Unauthorized');

	header("Location: /auth/login7.php?r=" . $_SERVER['PHP_SELF']);

	exit;

}



session_cache_limiter('private');

session_start();

if (!isset($_SESSION['u_name'])&&(!isset($_SESSION['p_word']))&&(!isset($_SESSION['l_name']))&&(!isset($_SESSION['f_name']))) {

	auth();

}else{

	include($_SERVER['DOCUMENT_ROOT'] . "/auth/db.php");

	$sql_result = mysql_query("select * from users where user_name = '$_SESSION[u_name]' and password = '$_SESSION[p_word]'");

	if (mysql_numrows($sql_result) != 0) { // the supplied credentials match the database

		include($_SERVER['DOCUMENT_ROOT'] . "/auth/headers.php");

	}else{

		auth();

	}

}

?>

and the login page looks like this:

<?php

	include($_SERVER['DOCUMENT_ROOT'] . "/auth/db.php"); // connects to the database

	$sql_result = mysql_query("select * from users where user_name = '$PHP_AUTH_USER' and password = '" . md5($PHP_AUTH_PW) . "'");

	if (mysql_numrows($sql_result) != 0) {

		session_start();

		while ($user_rows = mysql_fetch_array($sql_result)){

			$_SESSION['f_name'] = $user_rows[fname];

			$_SESSION['l_name'] = $user_rows[lname];

			$_SESSION['u_name'] = $user_rows[user_name];

			$_SESSION['p_word'] = $user_rows[password];

			$_SESSION['time']   = time();

		}

		header("Location: " . $r); // go back to the originally requested page

	}else{

		header('WWW-Authenticate: Basic realm="Secure MCSO Staff Login"');

  	header('HTTP/1.0 401 Unauthorized');

		exit;

	}

?>

Again, I get logged in without a problem, and can perform everything without a problem, except logging out (unless I close the browser). I go to the logout page, which now includes this:

I removed some things that I thought might be causing the problem, such as checking for $PHP_AUTH_USER and $PHP_AUTH_PW each time.

HELP! I'm afraid hari-kari will ensue if I can't figure this out! :

Although I have no idea what hari kari is, from the tone I assume it's not a good thing.

You might want to give this method a burl. Pass your session ID between pages, and store everything as session variables. that way you require that cookie to be able to keep the session alive. All you do on the page where you want to kill your session is to have IE delete that cookie, or replace it's value with a null value and it's lifetimer with a negative number (which will make the browser delete it since it will register as having lived it's lifetime already). Then even if the user goes back a page to an aera where they were logged in, without that cookie there is no session ID, and without a session ID there is no session. So if the cookie's gone, the session's dead.

now... that would recheck the username/password each time - got to be expansive on the server side.


Pugz, your problem is the 401 authentication... it's something you can't reliably delete from the browser's cache. (my ie for example even carries them between windows).
Drop that, redirect to a 'regular' login page, use that to establish your session, if you don't have some arcane need for using the http-auth method.

Plus, drop that include($_SERVER['DOCUMENT_ROOT'] stuff... use include(dirname(__FILE__)... works much smoother and allows your scripts to run in a sub directory. (had the hardest time getting this halfway to run... even had to get it its own sub domain...)

Skaarj:
hara kiri is the traditional japanese form of suicide, usually because of otherwise falling into dishonour. like being captured by the enemy (a very unprofessional thing for a professional soldier ;-) ) would be cause for hara kiri.

Okay....

I redid this using JUST PHP. No HTTP authentication or anything.

If I log out, and then go back to a page and refresh, I get (correctly) prompted to log in again. BUT - the new session ID is the same as the previous........

Well...you're other option then is to generate the session ID's yourself using PHP->mt_rand()

well, I wouldn't worry about the session ids if the data in the session was deleted correctly.

Glad we could pinpoint this onto the authentication, at least.