开发者

php session_destroy browser remembering username and password

问答 作者:

I am using the php authentication method for digest authentication as shown on the php manual. All is working well except for the logout part.

I am using session_destroy() to try and log my users out, which it does. However my problem is if the user goes to log back in before closing the browser out they are not prompted for a username and password and they are automatically logged back in with the last username and password they entered.

It seems the credentials are somehow being remembered by the browser. In Firefox if I manually clear "active logins" in the "clear browsing history" before trying to log back in then I am prompted for the username and password even though the user has been logged out with session_destroy().

I am also using an example from the php manual to clear the cookie but that doesn't seem to help, it doesn't seem to be a cookie problem.

Here is my logout.php code

<?php
session_start();
$_SESSION = array();
//destroy cookie if it exists
if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}
//destroy session
session_destroy();
header("location:form.ph开发者_StackOverflow中文版p");
exit();
?>

What am I missing? Thanks for any help!

HTTP Auth works slightly different then authentication with session. The only possibility to clear a http Auth session is to change the realm name. Check http://www.php.net/manual/en/features.http-auth.php#100396 (Comment #100396) it's where I found out.

BTW: It's a lot easier to use sessions for authentication, you have a lot more possibilities to store user information etc. so if there is no certain reason for httpAuth you might be better with using sessions.

session destroy won't delete the items stored in the session.
You can unset them manually : 

function destroySession(){
    foreach($_SESSION as $k => $v)
        unset($_SESSION[$k]); 
    session_destroy();
}

You say when they push back, they are logged in again. Are you sure they are not actually logging in again when they push back by resending the login form? In your login function, at the very end, try doing a:

header("location: ".$_SERVER['REQUEST_URI']);

Or adjust to whatever URI they need to go to when they log in. This will prevent the user from resubmitting the form by pushing the back button.

继续阅读:php

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9