NYCPHP Meetup

NYPHP.org

[nycphp-talk] Cannot unset $_POST during logout

max max at neuropunks.org
Wed Jul 20 12:07:32 EDT 2005 

Hello,
cant figure this out, Im trying to make it so once a user logs out, they cannot hit back and be logged back in - which im sure is trivial, but for some reason does not work with my code.
here is the code snippet from the beginning of index.php (which handles $_POST $_GET and does authentication/signup/proper page display):

<?
session_start();
require_once ("../conf/app.conf");

$page = new Page();

if ($_GET) {
        $get = input_process($_GET);
        if ($get[a] == "signup") {
                $page->body .= build_signup();
                $page->body .= build_survey();
                $page->htmlBuild("index");
                exit;
        }

        if ($get[a] == "logout") {
                unset($_POST);
                unset($_GET);
                unset($_SESSION);
                session_unset();
                session_destroy();
                $page->body = "You were successfully logged out";
                $page->htmlBuild("index");
                exit;
        }

}


?>

The code goes on for much more after that, but i would think these are the relevant parts.
I also tried inserting various header() cache control things, but that didnt work either. If I print_r($_POST) after I call unset()'s and session_destroy() its empty, so somehow the browser caches the $_POST and does not honor

header("Cache-Control: no-store, no-cache, must-revalidate");

which I used to have at the beginning of this page (after session_start() and before require_once())
I also tried replacing unset() with $_SESSION = array() and same for $_POST and $_GET but it still caches.
There are checks in the code for varous $_SESSION vars to be set to gain access to certain data, so you would think unset($_SESSION) would prevent access, but it doesnt.
Here is one of the checks:

if (count($_SESSION[user]) > 1) {
	echo "<br>This is protected content, only for authenticated users.";
} else {
	echo "<br>This is general content for everyone.";
}

That is in the html that gets called by $page->htmlBuild function, and it still gets bypassed due to caching (of $_POST i would assume)
So I am a little confused now, I looked at some other code and it looks like checking for certain $_SESSION vars being set is an acceptable authentication verification method, but it fails for me.

Thanks for any input!

max

More information about the talk mailing list