By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
455,716 Members | 1,306 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 455,716 IT Pros & Developers. It's quick & easy.

can't destroy sessions

P: n/a
I've this code I've included in ALL my pages:

session_cache_limiter('private, must-revalidate');
if(!session_is_registered("ID")){
if(!session_id())
session_start();
$UserID = 0;
if (isset($_SESSION["ID"]) and $_SESSION["ID"] > 0){
showmessage($_SESSION["ID"]);
$UserID = $_SESSION["ID"];
}
}

but not in the "logout.php" wich is this code:
session_start();
$_SESSION["ID"] = 0;
unset($_SESSION["ID"]);
session_unset("ID");
session_unregister("ID");
session_destroy("ID");
header("Location: index.php");

I can logout without any problem, but when I log again, any user/pass works,
so I suspect the session to be recreated as the session ID is always the
same. Where is the problem ???? why the session is recreated ?

Bob
Jul 17 '05 #1
Share this Question
Share on Google+
3 Replies


P: n/a
Bob Bedford wrote:
I've this code I've included in ALL my pages:

session_cache_limiter('private, must-revalidate');
if(!session_is_registered("ID")){
if(!session_id())
session_start();
$UserID = 0;
if (isset($_SESSION["ID"]) and $_SESSION["ID"] > 0){
showmessage($_SESSION["ID"]);
$UserID = $_SESSION["ID"];
}
}
Hi Bob,

Does that code actually work?

The following part misses {}
if(!session_id())
session_start();
$UserID = 0;


but not in the "logout.php" wich is this code:
session_start();
$_SESSION["ID"] = 0;
unset($_SESSION["ID"]);
session_unset("ID");
session_unregister("ID");
session_destroy("ID");
header("Location: index.php");

I can logout without any problem, but when I log again, any user/pass
works, so I suspect the session to be recreated as the session ID is
always the same. Where is the problem ???? why the session is recreated ?
maybe you have session.auto_start = 1 in your php.ini?

Bob


My advise to you would be to redo your code.
I find this the easiest way:
1) leave session.auto_start = 1
This way you don't have to woory about starting sessions, they are always
there.

2) use the following code to check if a user is logged in:
if (!isset($_SESSION["isloggedin"]){
// user is not logged in, send where you want him to go
header("Location: login.php");
exit;
}
3) If a user logs in, you first check the user/pass (against your database I
guess).
so something lke this:
if (user/pass is accepted){
$_SESSION["isloggedin"] = "Y";
// and maybe:
$_SESSION["userid"] = <from database>;
}
Regards,
Erwin Moller
Jul 17 '05 #2

P: n/a
> Hi Bob,

Does that code actually work?

The following part misses {}
if(!session_id())
session_start();
$UserID = 0; I only start Session if the session_id isn't set. Why they are missing {}In
any case I set $UserID = 0;


but not in the "logout.php" wich is this code:
session_start();
$_SESSION["ID"] = 0;
unset($_SESSION["ID"]);
session_unset("ID");
session_unregister("ID");
session_destroy("ID");
header("Location: index.php");

I can logout without any problem, but when I log again, any user/pass
works, so I suspect the session to be recreated as the session ID is
always the same. Where is the problem ???? why the session is recreated ?
maybe you have session.auto_start = 1 in your php.ini?

No, session.auto_start = 0

Bob


My advise to you would be to redo your code.
I find this the easiest way:
1) leave session.auto_start = 1
This way you don't have to woory about starting sessions, they are always
there.

I can't modifiy php.ini settings. My provider doesn't allow it !

2) use the following code to check if a user is logged in:
if (!isset($_SESSION["isloggedin"]){
// user is not logged in, send where you want him to go
header("Location: login.php");
exit;
} It's actually what I'm trying to do when checking ( if
(isset($_SESSION["ID"])) as this ID should only be created once the
user/pass is valid.

3) If a user logs in, you first check the user/pass (against your database
I
guess).
so something lke this:
if (user/pass is accepted){
$_SESSION["isloggedin"] = "Y";
// and maybe:
$_SESSION["userid"] = <from database>;
}

Actually I set the $_SESSION["ID"] the same way you set your userid. If this
value is 0, then the user didn't log, otherwise he did.

It seems that every time I do session_start(), the old session is created
again. I can't permanently remove it.

Bob
Jul 17 '05 #3

P: n/a
"Bob Bedford" <be******@YouKnowWhatToDoHerehotmail.com> wrote in
news:41***********************@news.sunrise.ch:
I can't modifiy php.ini settings. My provider doesn't allow it !


none at all? there are many that can normally be set specifically for
your site, by changing them on one of your pages, so it only affects your
site. It will not mess with the php.ini file. an example would be storing
all your session files in one of your own folders, not the host catch-all
(I think that setting is part of it anyway). Its an easy way to check out
if when you shutdown the browser and restart if the original session file
is still there because you have direct access to them. Check out the
manual.

also, when you log out, set your session to array(), not 0. then unset
and destroy it.

your 'private' header is there for IE mainly, include all of these as
well in your session include file - I dont understand them all but
several of the validation samples I checked out use them. so when in
Rome.....

//ensure page does not store in cache to force reloading everytime
header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
header('Cache-Control: no-store, no-cache, must-revalidate');
header('Cache-Control: post-check=0, pre-check=0', FALSE);
header('Pragma: no-cache');
header("Cache-control: private"); fix for IE6.

cheers
Jul 17 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.