Session is not being destroyed with session_destroy()?

Question

Session is not being destroyed with session_destroy()?

Asked 10 years, 4 months ago

Viewed 1,532 times

0

I immediately in my session, created a logout.php page to destroy the session. So far so good I can scroll down but when I click the back button of the browser I log back in. As I destroy the session?

logout.php

    ?>
    <script>alert("Logout efetuado com sucesso");
    window.location="http://dominio.com/area/login.php";
    </script>     


    <?php

    //header("Location:http://dominio.com/area/index.php"); exit; // Redireciona o visitante
?>

php access where valid my session

 $usuario = mysql_real_escape_string($_POST['login']);
$senha = mysql_real_escape_string($_POST['senha']);

// Validação do usuário/senha digitados
$sql = "SELECT `id_user`, `nome`, `nivel`,`id_franquia` FROM `usuario1` WHERE (`nome` = '".$usuario ."') AND (`senha` = '". $senha ."') LIMIT 1 ";
$query = mysql_query($sql);
if (mysql_num_rows($query) != 1) {
    // Mensagem de erro quando os dados são inválidos e/ou o usuário não foi encontrado
   ?> <script>alert("Login inválido! Tente novamente");
        window.location="http://dominio.com/area/login.php";       
   </script><?php
   //header("Location:http://dominio.com/area/login.php");
} else {
    // Salva os dados encontados na variável $resultado
    $resultado = mysql_fetch_assoc($query);

    // Se a sessão não existir, inicia uma
    if (!isset($_SESSION)) session_start();

    // Salva os dados encontrados na sessão
    $_SESSION['UsuarioId'] = $resultado['id_user'];
    $_SESSION['UsuarioNome'] = $resultado['nome'];
    $_SESSION['UsuarioNivel'] = $resultado['nivel'];
    $_SESSION['UsuarioFranquia'] = $resultado['id_franquia'];

    if($_SESSION['UsuarioNivel'] ==1){
        header("Location:http://dominio.com/area/admin/admin.php"); 
    }else if($_SESSION['UsuarioNivel'] ==2){
        header("Location:http://dominio.com/area/editor/editor.php");
    }else if($_SESSION['UsuarioNivel'] ==3){
        header("Location:http://dominio.com/area/usuario/usuario.php");
    }

page that I am directed

php editor.

<?php


if (!isset($_SESSION)) 
session_cache_expire(10);
session_start();

$nivel_necessario = 2;

    // Verifica se não há a variável da sessão que identifica o usuário
if (!isset($_SESSION['UsuarioId']) && ($_SESSION['UsuarioNivel'] !=$nivel_necessario)) {
    // Destrói a sessão por segurança
    session_destroy();
    // Redireciona o visitante de volta pro login
    header("Location:http://dominio.com/area/login.php"); exit;
}
$logado = $_SESSION['UsuarioNome'];
?>

Dude, that’s a lot to want code ready. Just google it and you’ll find it in English!

– Douglas Bernardino

2014/07/23 at 16:54
7

This question seems to be out of date because it is a question that could be solved with a quick google search, having no utility to help future users

– RodrigoBorth

2014/07/23 at 16:57
I’m voting to close

– RodrigoBorth

2014/07/23 at 16:58
why do you have an Else without having an if? how do you check whether you are logged in or not? post all the codes of the pages involved in the process

– RodrigoBorth

2014/07/23 at 17:04
added the pages I use

– José Carlos

2014/07/23 at 17:19
this is probably because of the return, when you return a page in the browser it probably asks to resend the form data you had sent when you visited that page, as your browser has this data saved it resends creating thus a new session, if you go to the page, manually without using the back button probably the session will not be started

– RodrigoBorth

2014/07/23 at 17:59
tested on firefox and Chrome and still redirected me to page, already in IE the session really was destroyed

– José Carlos

2014/07/23 at 18:11
I left it open because the question seems normal after editing.

– Jorge B.

2014/07/31 at 08:00

Show 3 more comments

3 answers

1

People solved the problem with the help of Rene and Pope Charlie. First I used the javascript indicated by Rene this code does not let page back. This code has to be placed on every page you want to protect from improper access so.

    <script type="text/javascript">
        window.history.go(1);
    </script>

Then I used the time control in the section. I set time in the file that makes the test for access so my file access.php was like this.

     if (!isset($_SESSION)) session_start();

    // Salva os dados encontrados na sessão
    $_SESSION['UsuarioId'] = $resultado['id_user'];
    $_SESSION['UsuarioNome'] = $resultado['nome'];
    $_SESSION['UsuarioNivel'] = $resultado['nivel'];
    $_SESSION['UsuarioFranquia'] = $resultado['id_franquia'];
    $_SESSION["Tempo"] = time() + 60*2;

    if($_SESSION['UsuarioNivel'] ==1){
        header("Location:http://dominio.com/area/admin/admin.php"); 
    }else if($_SESSION['UsuarioNivel'] ==2){
        header("Location:http://dominio.com/area/editor/editor.php");
    }else if($_SESSION['UsuarioNivel'] ==3){
        header("Location:http://dominio.com/area/usuario/usuario.php");
    }

And then text the time on each page that I want to protect. Page editor looked like this.

    if ( isset( $_SESSION["Tempo"] ) ) { 
       if ($_SESSION["Tempo"] < time() ) { 
           session_unset();
           echo "Seu tempo Expirou!";
           //Redireciona para login
           header("Location:http://domino.com/area/login.php");
    } else {

        //Seta mais tempo 60 segundos
        $_SESSION["sessiontime"] = time() + 60;
    }
  } else { 
      session_unset();
    //Redireciona para login

}

1

i) where is the cache control I told you about? ii) if you test with js disabled, the result will be the same.

– Papa Charlie

2014/07/25 at 22:27

Browser other questions tagged php security-guard

You are not signed in. Login or sign up in order to post.

by Rene Sá • **823** points · Answer 1 · 2014-07-23T19:51:55+00:00

Since no one has answered so far, I’m going to give a solution that I’m not sure is the most valid.

In the "editor.php" header insert:

<script type="text/javascript">
window.history.go(1);
</script>

This code does not allow the user to go back to the page.

by Papa Charlie • **8,721** points · Answer 2 · 2014-07-23T21:56:27+00:00

2

When you click exit, a new page is loaded by logging out the user.
If it clicks back, the session will NOT be redone, it is just the browser cache. If it returned to a page with options to edit the profile - for example - and submit the form, when the page is updated to perform the action, it will verify that the user is not logged in.

. Maybe you can change the cache time to resolve

I checked this too but the session is redone when I update the browser it does not redirect to the login screen. And still if I try to proceed to the next screen that needs the session with you normally. But I will try the cache as you told me.

– José Carlos

2014/07/24 at 10:46
I used the time control and it worked

– José Carlos

2014/07/24 at 11:40
A test I could have done and I forgot to mention, is using anonymous mode - just to check that the session never restores like magic :) Glad you solved, if you want to leave as you did to be able to help someone in the future.

– Papa Charlie

2014/07/24 at 20:45
I have another problem on the same system, after which I am redirected to the page editor.php and get the information from Session. I try from the editor.php to go to another page I can not send the variables of Session. If you can help me, I appreciate

– José Carlos

2014/07/25 at 10:47