I am using a PHP login script that challenges user for username & password.
Once authenticated program stores a session value. On logout, session value is set to blanks.
Once logged out I want to avoid allowing user hitting the back button a few times and and betting allowed to see screen of data or accidentaly logging himself back in.
I am using sessions, a re-direct to send validated user to a new page. I am also using ob_start, ob_flush and ob_end_clean to prevent error or re-direct.
Questions:
Is this really secure?
Is this a common approach?
Is there alterternative to buffering?
below is a small proof-of-concept.
<?php
header("Cache-Control: no-cache, must-revalidate");
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT");
header("Pragma: public");
session_cache_limiter('nocache');
// I'm not sure how effective any of the above seem to be.
session_start();
// start buffering because if we use header later we want to avoid error
ob_start();
echo "Type <b>in</b> or <b>out</b> to login/logout<br>";
?>
<form action='' method='POST'>
<input type='text' name='status' size='10' value=""><br/><br/>
<p> </p>
<input type='submit' name='Login' value='Login' /></form></p>
<?php
if ($_POST['status'] == 'in')
{
$_SESSION['logged_in'] = 'in';
ob_end_clean(); // clean and erase buffer so far
header('location:test2.php');
exit;
}
if ($_POST['status'] == 'out')
{
$_SESSION['logged_in'] = 'no';
echo "you are logged out <br>";
}
ob_flush(); // push output
echo "login status = " . $_SESSION['logged_in'] ;
?>
file test2.php
<?php
echo "You have logged in";
?>
What you need is a proper logout method rather than testing session data. You want the session to be wiped competely. Here is an example that logs the user in and logs the user out and also checks if the user is logged in. When you click the logout page you’re automatically logged out and redirected. Clicking back won’t change anything you still won’t be logged in.
login.php
homepage.php
logout.php
Hope this helps demystify sessions a bit for you.