Session Management in PHP

furious_gamer · 05-03-2009, 03:28 PM

Guys, i was completely running out of idea when it comes to session tracking. I previously do the session management in JSP/Servlet using the database to store the user's session related details,temporarily,say until he logs out.

Now after i moved to PHP, i was so glad to see that the default session handling offered by PHP is so good to consider. But the problem is how to use the default session handling efficiently.
Consider a scenario i come up with :

After the user presses logout, i just unregister the session variable and destroy the session. But when i try to click the back button of the browser, it say "The Page you are trying to view contains POSTDATA that has expired from cache. If you resend the data, any action the form carried out(such as a search or online purchase) will be repeated. To resend the data, click OK. Otherwise , click Cancel".

After i press OK, it then go back to the previous page, which is only viewable to authorized users.

In my program i have three pages . ( A Simple session management program using PHP)
1. login.php
2.welcome.php
3.logout.php

login.php doesnt contain any php code. It simply has two textfields for username and password and a Submit button.

welcome.php

PHP Code:


			
<?
session_start();
$username = $HTTP_POST_VARS["username"];
$password = $HTTP_POST_VARS["password"];
if($username=="somedata" && $password=="someotherdata")
{
echo "Authorized user";
session_register("username");
echo "<a href="logout.php'>Log Out</a>";
}
else
{
echo "Un-authorized user";
echo "<a href="login.php">Go Back</a>";
}
?>

logout.php

PHP Code:


			
<?
session_start();
if(session_is_registered("username"))
{
session_unregister("username");
session_destroy();
}
else
{
echo "Unknown call to this page.";
}
?>

Please let me know whats wrong with my code. I dont want to use database to track the users session. So please try to help me with the default session tracking offered by PHP.

astroutkarsh · 06-03-2009, 01:05 PM

Can you try with No Cache in meta tag on that page? so that data will not be in browser cache.

kapsicum · 06-03-2009, 01:28 PM

firstly i didnt get your problem but the following is as per what i understood ....

if a user clicks browsers back button after he has logged out ,
and if you dont want the action to be repeated you can validate the session variables before performing any actions like search or Online purchase.
if a user has logged out & on clicking of back button the actions wont be performed since the users session has been unregistered.

check the following codes :

welcome.php :

PHP Code:


			
<?php // always make a habit of using <?php instead of <? for starting any php code

session_start(); 



// can also use GET or POST depending on ur Login Form Method, REQUEST can be helpful in both the cases,

// never use GET as Form method for sensitive data like password 

$username = $_REQUEST["username"];

$password = $_REQUEST["password"]; 



if($username == "somedata" && $password == "someotherdata")

{

    echo "Authorized user";



    // the use of session_register() is depreciated since PHP 4.1.0

    // its best to use $_SESSION['variable_name'] 

    $_SESSION["username"] = $username;



    echo '<a href="logout.php?user='.$username.'" >Log Out</a>'; // take care with using single quotes ( ' ) & double quotes ( " )

}

else

{

    echo "Un-authorized user";

    echo "<a href="login.php">Go Back</a>";

}

?>

logout.php :

PHP Code:


			
<?php

session_start();



$username = $_REQUEST["user"]; // can use GET too since the variable is passed in URL



//its better to use isset() instead of session_is_registered() to check if a session is set or not

// also its good to check the value of the particular session variable

if( isset($_SESSION["username"]) && $_SESSION["username"] == $username ) 

{

    //again use unset() instead of session_unregister()

    unset($_SESSION["username"]);

    session_destroy();

}

else

{

    echo "Unknown call to this page.";

}

?>

Note : If you are using $_SESSION (or $HTTP_SESSION_VARS), do not use session_register(), session_is_registered() and session_unregister().