Menu
I am having trouble with session_destroy().
When the User press Log out it have to destroy the session. I wrote the following code:
Logout.php
<?php
session_start();
session_destroy();
header("location: LoginViewController.php");
?>
After pressing log out, when I press the browser back button it is showing my previous Logined user page and session username in Login.php page
Login.php
<?php
session_start();
$_SESSION['user']= $_GET['username'];
echo '"<div style="background:white; text-align:right"> Login as:'.$_SESSION['user'].'</div>"';
echo '<a href="Logout.php" style="text-align:right">Logout</a>';
LoginViewController.php
<?php
header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT");
$Username = $_POST['uname'];
$Password = $_POST['pwd'];
$User_Type=$_POST['type'];
If (!(empty($Username) && empty($Password) && empty($User_Type))){
$model = new UsersModel();
$rowsCount = $model->checkUser($Username,$Password,$User_Type);
if ($rowsCount!=0){
header("location:login.php?username=".$_POST['uname']."");
} else {
echo '<script type="text/javascript">alert("Enter username and password correctly");
window.location.href="LoginViewController.php";</script>';
}
}
I don't know why it is working like that.
Please help me to find out where I commit mistake.
I want to disable that browser back button after logout.
313
On the login screen, in PHP, before rendering the view, you need to check if the user is already logged in, and redirect to the default page the user should see after logged in. Similarly, on the screens requiring login, you need to check if the user is not logged in and if not, redirect them to the login screen.
Whenever a user visits a protected page, try sending headers to prevent caching of the page: header('Cache-Control: no-cache, must-revalidate'); header('Expires: Sat, 26 Jul 1997 05:00:00 GMT');
login.php page :
<?php
if (isset($_POST['uname'], $_POST['pwd'], $_POST['type'])) {
$Username = $_POST['uname'];
$Password = $_POST['pwd'];
$User_Type=$_POST['type'];
if (!(empty($Username) || empty($Password) || empty($User_Type)))
{
$model = new UsersModel();
$rowsCount = $model->checkUser($Username,$Password,$User_Type);
if ($rowsCount!=0)
{
$_SESSION['user'] = $Username;
header("Location:LoginViewController.php");
} else {
echo 'Bad user';
}
} else {
echo 'Please, fill all inputs';
}
} else {
echo 'Bad form sent';
}
?>
<form name="f1" method="POST" action="" >
// inputs
</form>
LoginViewController.php :
<?php
header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT");
if (!isset($_SESSION['user'])) {
header('Location: login.php');
exit();
}
echo 'You have successfully logged as '.$_SESSION['user']
?>
And add the headers to force the browser to revalidate the pages :
logout.php :
<?php
session_start();
session_destroy();
$_SESSION = array();
header("location: login.php");
?>
This is caused by the browser cache that is keeping details in the page, if you refresh the page or you move any further in your private area you will be prompted to login page and you will not be able to see anything, assuming that your login check system is correctly configured.
You can otherwise force the browser to not cache the page and have a new request to the server for the page
header("Cache-Control: private, must-revalidate, max-age=0");
header("Pragma: no-cache");
header("Expires: Fri, 4 Jun 2010 12:00:00 GMT");
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
