0

I have a web app I am developing for a school project, I am having issues with the logout page. When a user clicks logout it will send them to a logout.php which just looks like this:

<?php include ("includes/check_authorization.php");
    // Unset the session and destroy it
    session_unset();
    session_destroy();

    // Redirect to the home page
    echo '<META HTTP-EQUIV="Refresh" Content="0; URL=index.php">';
    exit;
?>

It is very simple, but it will unset, then destroy the session, and redirect to the index, which is the login page. However when this is run the index immedietley redirects to a user homepage. The check_authorization page included at the top will redirect someone to login if the username and id are not set and matching in the $_SESSION, so this means that it is setting these for me? I am really confused as to how this is happening. I am using CAS for authentication.

EDIT: the check_authorization.php also initializes the session as well as checking those key values

kreynolds
  • 426
  • 4
  • 15
  • [Meta refreshes? Really?](http://www.php.net/manual/en/function.header.php) – DaveRandom Dec 14 '11 at 16:52
  • Show us the check_authorization.php code. Maybe there is a logical error there. – Vagelis Ouranos Dec 14 '11 at 23:33
  • I was using META refresh because it kept saying the header had already been sent, so that was the first and easiest way I found to redirect, if you have a better suggestion I would be more then open to it. – kreynolds Jan 13 '12 at 15:01
  • I solved my problem, there was nothing wrong with the above code. The CAS authentication I am using is not mine, it is for a much larger group (a University), when I was logging out it was destroying my session, but the University still held onto login data in a cookie, by deleting the cookie I was able to successfully logout :-) – kreynolds Jan 13 '12 at 15:04

3 Answers3

1

For like this situation I did as follows, this is working for me all the browsers, 

@session_unset();
$old_sessid = @session_id();
@session_regenerate_id();
$new_sessid = session_id();
@session_id($old_sessid);
@session_destroy();
Sameera Thilakasiri
  • 9,452
  • 10
  • 51
  • 86
  • That does seem to help, but not 100%, I might have another issue altogether. At the risk of sounding like a complete noob...what are the @ for? I have not seen that notation before. – kreynolds Dec 14 '11 at 16:49
  • Basically @ is an operator, which, when prepended to an expression, suppresses error messages. – Sameera Thilakasiri Dec 14 '11 at 16:52
  • 3
    @Prediluted The `@` operator suppresses errors. Read about it [here](http://php.net/manual/en/language.operators.errorcontrol.php). And as a general rule (although [there are exceptions](http://stackoverflow.com/questions/8504253#8505068)) it should be avoided at all costs - if you are getting errors, fix them, don't hide them. – DaveRandom Dec 14 '11 at 16:54
0

Rather than just unsetting the data, try assigning a dummy value to the session, like:

$_SESSION['authKey'] = '!!INVALID!!';
session_unset();
session_destroy();

Even if the session 'revives', the authentication can't possibly succeed anymore because of the "fake" data.

Oldskool
  • 34,211
  • 7
  • 53
  • 66
0

There are some possibilities :

  • The most simple possibility : did you include the

    session_start();

on top the file? before you include a file? I've been there before, and it pissed me off.

  • The second possibility : try to put

    session_regenerate_id();

on the very top of your file (before you declare session_start();). Because in some Server Hosting, their configuration still using "LINUX" style that i can't explain to you here. But, the point is they always using "cache" when you redirect. In other words, you always redirect into your "cached" page when you rediret to another page. See.. it's hard to explain for you here. But just try the session_regenerate_id(); code, maybe it would work.

  • I never use the "echo" things in doing redirect things. Try :

    header("location:index.php"); i don't know if this working or not. I just simply giving you my analysis based of my assumptions.

Hope these helpful. :)

Arvid Theodorus
  • 443
  • 2
  • 9
  • 20