All geek questions in one place

After logging out, the user can access the protected page

I added a session and used this code to prevent the user from accessing the page after logging out, but I cannot do this. The user can access the previous page. Here is the code

login code

<form id="form1" name="form1" method="post" action="alogin.php" onsubmit="return(validate());"> <p align="center"><font style="Arial" size="+1" color="#000000">Username : <label for="name"></label> <input type="text" name="name" id="name" /> </p> <br /> <br /> <p align="center">Password : <label for="pass"></label> <input type="password" name="pass" id="pass" /></font> </p> <p align="center"> <br /> <br /> <input type="submit" name="submit" id="submit" value="Login" /> </p> </form>

on every protected page I used this

 <?php session_start(); if (!isset($_SESSION['name'])) { header("location:login.html"); } else { } ?>

while logout.php contains

  <?php session_start(); $_SESSION=array(); setcookie(session_name(),"",time()-3600); session_destroy(); header("Location: login.html?id=You are successfully logged out"); ?>
+4
source share
8 answers

created a file called session.php

  <?php ob_start(); session_start(); // just call this file session.php and share it in all your file, which you want to protect with session, ?>

than we need to include a file on every page that we want to protect in this way

 <?php include 'session.php'; var_dump($_SESSION); if(isset($_SESSION) ){ if(!$_SESSION['name']=='admin'){ header("Location:login.html?id=access_forbidde"); } }else{ header("Location:viewall.php?id=access_forbidde"); }

otherwise, you must indicate each page separately on this page.

& logout contains

 <?php include 'session.php'; $_SESSION=array(); setcookie(session_name(),"",time()-3600); session_destroy(); header("Location: login.html?id=logout_successful"); ?>

thanks to PHP_Noob for his help. and I did it in a week

0
source

When a user issues a "back" to their browser, the browser may decide to load the page from the cache. the user will not be able to do what the user registered in the log can do because the session has been destroyed and is invalid.

A possible workaround would be to include an AJAX request to these reasonable pages, which checks if the user is still registered. If yes, display sensitive elements (or get them via ajax), and if not (user registered out) displays a warning or sends it to the login page (via js).

+5
source

It is called cache. Therefore, the server does not receive a request.

Just make sure no further interaction is possible.

+2
source

after header("location:login.html"); You might also want to do die(); to prevent html crashes.

+1
source

PLEASE NOTE: This is just a suggestive answer.

This is what I use and works quite well.

In your form, which should have a .php file extension, use something to affect:

 session_start(); $firstname = $_SESSION['unique_session_name']; // yours being $name // some code $firstname = $_POST['firstname'];

Then on the secure pages:

 session_start(); $_SESSION["unique_session_name"] = $_POST["firstname"]; if (isset($_SESSION['unique_session_name'])) { // some code }
0
source

The logic you were talking about seems to have a problem with the way you test the session. Does not work if you execute session_start (); on secure pages at the top, and then check the session.

Try checking session

 if(session_id() == '') { // session isn't started session_start(); } else { header("location:login.html"); }
0
source

It’s like a blow in the dark, as others mentioned the cache problem. I had a similar problem not so long ago, I suppose I solved it by manually disabling the session variable that I was checking. I'm not sure if this will help, but it seems to have worked for me.

 session_unset(); unset($_SESSION['name']);

It was an occasion to just try your best.

0
source

I create a cookie called session-cookie and set it to true when the user logs in successfully.

When the user logs out, I set the session-cookie to empty.

Then add the following to Javascript,

 <script> if( document.cookie.indexOf("session-cookie") < 0 ) { location.replace('http://[any url]/'); } </script>

They will be able to click the "Back" button and view the cached page, but it will quickly redirect and overwrite the current page in the history.

0
source

Source: https://habr.com/ru/post/1484296/

More articles:


All Articles