0

I am having trouble with my session script. I include this file call functions.php in every file I need a session in.

<?php

session_start(); {

  if(isset($_SESSION['username']) && !empty($_SESSION['username'])) {
    return true;
    } else {
    return false;
    }

  }

?>

And then I use this file to logout. Called logout.php

<?php
include('functions.php');
session_destroy();
// We redirect them to the login page
header("Location: homepage.php");
die("Redirecting to: homepage.php");
?>

Can anyone help me fix it so that when a user clicks the logout link they cannot go back to the members area and be logged in again.

Nick
  • 183
  • 1
  • 3
  • 15

2 Answers2

1

Ok, I assume the problem was this, You just destroy the session within the logout.php, but not clearing the session variables. Please take a look at the documentation,

What happened in your case is, whenever you going back to the home page, you restart the session, therefore you will be able to access the $_SESSION['username'] since you did not clear the variable and you get logged in.

Solution for your problem is

<?php
include('functions.php');
session_unset(); // need to be called before session_destroy()
session_destroy();
// We redirect them to the login page
header("Location: homepage.php");
die("Redirecting to: homepage.php");
?>

or you can simply clear the $_SESSION['username'] within logout.php script, and you don't necessarily need to destroy the session at all.

Hope this helps

code-jaff
  • 9,230
  • 4
  • 35
  • 56
0

It could well be the browsers cache displaying the page, if you logout, clear the cache and then press back does it still do the same?

I found a previous question which may help you: Stopping the back button from exposing secure pages?

Community
  • 1
  • 1
OneLogicalMyth
  • 188
  • 1
  • 9