php cache vs cookie

Question

I am integrating a login page (fixed username and password).

Once the user logs in, he is being redirected to another page 'x' (on my server).

However, when the user closes the browser (or tab) and re opens it, he is automatically being directed to the page 'x' without the need to ask for username and pass.

However, if i delete the cookies from my browsers (firefox) settings, things go back to normal. Deleting the cache does not do anything.

I know I need to insert couple lines of code to delete to cookie. My questions are,

is this 100% cookie problem? or I need to prevent storage into local cache too ?
The cookie prevention happens on which level ?during the login or the redirection ?
Once I am redirected to the page 'x', does putting a log out button there makes it possible to log out of the session that redirected ?

below is my code.

<?php
session_start();
if(isset($_POST['username'])){
 if(($_POST['username'] == "user") && ($_POST['password'] == "pass"))
{
  $_SESSION['secured'] = "Secured";
 }else{
  echo "Wrong username and password.  <p>
  <a href='?'retry</a>";
 }
}

if(!isset($_SESSION['secured']))
{    
echo "<form method='post'>
Username: <input type='text' name='username' maxlength='10' /><br>
Password: <input type='password' name='password' maxlength='10' /><br>
<input type='submit' value='login' />
</form>";
}else{
?>

<html>
<head>
<title>Session Login</title>
</head>
<body>
<p>redirecting....
<meta HTTP-EQUIV="REFRESH" content="1; url=http://x.php">
</p>
</body>
</html>

<?php
}
?>

Which browser are you using and does this "continue" behavior occur when you close the browser AND tab? — Luceos, Mar 27 '13 at 10:18
@Luceos i am using firefox. I implemented waynes suggestion of unset($_SESSION['secured']); and it is doing the trick. — tony9099, Mar 27 '13 at 10:20
Obviously your sessions keeps alive after tab/browser close. So that is "expected" behavior. — Luceos, Mar 27 '13 at 10:26

score 1 · Accepted Answer · edited May 23 '17 at 11:57

If you can create a logout.php page that will destroy the session:

unset($_SESSION['secured']);
header('Location: login.php');
exit;

Simply visit that page and the login will be destroyed.

If you want the session to timeout after a predetermined period of time, you can use something similar to the code shown in this example.

If you're wanting to kill the session after the user has landed on x.php

<?php
session_start();

//First make sure that they're allowed access to x.php
if(!isset($_SESSION['secured'])){
    //They shouldn't be here.
    header('Location: login.php'); //Redirect back to your login page
    exit;
}

//Ok, user is obviously logged in. Unset the session variable so that they can only view this page once (unless they login again)
unset($_SESSION['secured']);

//Show content of x.php

wayne, I prefer it more if I can just make the session finish after redirect. how is that possible ? — tony9099, Mar 27 '13 at 10:02

php cache vs cookie

1 Answers1