I have written a logout script to clear the session vars and forward to another page see below:
session_start();
session_unset();
session_destroy();
session_write_close();
setcookie(session_name(),‘’,0,‘/’);
session_regenerate_id(true);
include (“user-includes/mma-config.php”);
GoToAdminLogin();
exit();
On one hand it seems to work, however if I press the back button in the browser I can still get to a page
I shoulnd’t be able to access since I’m suppose to be logged out.
It is loaded from the browser cache… but they may not be able to take action on page.? are they able to do it?
Have a session variable at the start of page and check if it is isset and they redirect to login page. ( this will take care if the page is reloaded fresh)
Hi
Yes they are able to perform an action on a page they are supposed to be logged out of
Here is my code at the top of 1 page: - now that I look at it, I should be replacing session_start(); with a forward to a login page?
if ((!isset($_SESSION[‘user’])) || (!isset($_SESSION[‘role’])) || (!isset($_SESSION[‘active’])))
{
session_start();
}
if ((isset($_SESSION[‘user’])) || (isset($_SESSION[‘role’])) || (isset($_SESSION[‘active’])))
{
if (($_SESSION[‘role’] != “admin”) || ($_SESSION[‘role’] != “ltd”))
{
include (“…/user-includes/mma-config.php”);
$_SESSION[‘error’] = “You are not authorized to access this area.”;
GoToOops();
exit();
}
if ($_SESSION[‘active’] != “Y”)
{
include (“…/user-includes/mma-config.php”);
$_SESSION[‘error’] = “You are not authorized to access this area.”;
GoToOops();
exit();
}
}