I just wrote a PHP login script, and what I'm trying to accomplish is that when the user click to the log out link, after they log out, regardless clicking the back button of the browser, they cannot access the page.
我刚刚编写了一个PHP登录脚本,我想要完成的是当用户点击退出链接时,在他们注销后,无论点击浏览器的后退按钮,他们都无法访问该页面。
Here is the logout function:
这是注销功能:
//Start the Session
session_start();
session_destroy();
header("location:login.php");
exit();
I did place the following code on all the pages, and this seems not do the job:
我确实在所有页面上放置了以下代码,这似乎没有完成工作:
header ("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); // Date in the past
header ("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header ("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
header ("Pragma: no-cache");
//Start the Session
session_start();
Any suggestions?
8 个解决方案
#1
Check when the user is logged out if the session global is still set with the correct value.
如果会话全局仍设置为正确值,请检查用户何时注销。
print_r($_SESSION);
The reason for this is that you are doing a session_destroy and then a header redirect, what happens is that you force a redirect and the destroying of the session isnt written to the server that way.
这样做的原因是你正在做一个session_destroy,然后是一个头重定向,所发生的是你强制重定向,并且会话的破坏不会以这种方式写入服务器。
#2
You can't control the workings of the client-side back button on the server. You could destroy the history data using javascript on the client.
您无法控制服务器上客户端后退按钮的工作方式。您可以使用客户端上的javascript销毁历史数据。
The client can completely ignore the no-cache headers.
客户端可以完全忽略no-cache标头。
#3
I think you need to store something in the session and then check it on each page load. Here's how I've done it in the past
我认为您需要在会话中存储一些内容,然后在每个页面加载时检查它。这就是我过去的表现
Login Script (simplified)
session_start()
// register necessary session variables
$_SESSION['username'] = $username;
Logout Script:
session_start();
// destroy the session and check to make sure it has been destroyed
session_destroy();
if(!session_is_registered('username')){
$loginMessage = 'You have been logged out.';
include 'index.php';
exit();
}
// if we're still here, some bad juju happened
Top of Every Page
session_start()
// make sure user is logged in
if (!$_SESSION['username']) {
$loginError = "You are not logged in.";
include("index.php");
exit();
}
#4
Just redirect if there's no login $_SESSION, for example:
如果没有登录$ _SESSION,只需重定向,例如:
//on your protected pages
session_start();
if(!$_SESSION['logged']) {
header("location:login.php");
}
This is what my logout does:
这是我的注销:
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (isset($_COOKIE[session_name()])) {
setcookie(session_name(), '', time()-42000, '/');
}
// Finally, destroy the session.
session_destroy();
#5
I would suggest that you use HTTPS with SSL. You can close the SSL session and kick the user back out to a non-encrypted page.
我建议你使用HTTPS和SSL。您可以关闭SSL会话并将用户踢回非加密页面。
Most browsers implement caching schemes differently.
大多数浏览器以不同方式实现缓存方
For example, in Opera you can click Back and it will pull the page data directly from memory without sending any data to the server, even in the page has expired. If you hit Refresh, of course, your server would require the login.
例如,在Opera中,您可以单击“返回”,它将直接从内存中提取页面数据,而不会向服务器发送任何数据,即使页面已过期也是如此。如果您点击刷新,当然,您的服务器将需要登录。
In Internet Explorer, it's handled very differently and form data is resubmitted to the server.
在Internet Explorer中,处理方式非常不同,表单数据将重新提交给服务器。
#6
It might be your session_destroy() functions. Try this:
它可能是你的session_destroy()函数。试试这个:
unset($_SESSION);
Un-setting the $_SESSION variable will clear out anything stored here.
取消设置$ _SESSION变量将清除此处存储的任何内容。
Check out unset() on PHP.net
在PHP.net上查看unset()
#7
$_SESSION['blah'] = '';
This works too..
这也有效..
#8
<?
session_start();
if (!isset($_SESSION['username']) && !isset($_SESSION['password'])) {
header('Location:../index.php');
exit;
} else {
session_destroy();
}
?>
this really helps me .. paste this on every page or in the page where your logout is
这真的帮助我..将其粘贴到每个页面或您注销的页面中
<?php
session_start();
session_unset();
session_destroy();
header("Location:../index.php");
exit;
and as simple as this in destroying your session
在破坏你的会话时这很简单
#1
Check when the user is logged out if the session global is still set with the correct value.
如果会话全局仍设置为正确值,请检查用户何时注销。
print_r($_SESSION);
The reason for this is that you are doing a session_destroy and then a header redirect, what happens is that you force a redirect and the destroying of the session isnt written to the server that way.
这样做的原因是你正在做一个session_destroy,然后是一个头重定向,所发生的是你强制重定向,并且会话的破坏不会以这种方式写入服务器。
#2
You can't control the workings of the client-side back button on the server. You could destroy the history data using javascript on the client.
您无法控制服务器上客户端后退按钮的工作方式。您可以使用客户端上的javascript销毁历史数据。
The client can completely ignore the no-cache headers.
客户端可以完全忽略no-cache标头。
#3
I think you need to store something in the session and then check it on each page load. Here's how I've done it in the past
我认为您需要在会话中存储一些内容,然后在每个页面加载时检查它。这就是我过去的表现
Login Script (simplified)
session_start()
// register necessary session variables
$_SESSION['username'] = $username;
Logout Script:
session_start();
// destroy the session and check to make sure it has been destroyed
session_destroy();
if(!session_is_registered('username')){
$loginMessage = 'You have been logged out.';
include 'index.php';
exit();
}
// if we're still here, some bad juju happened
Top of Every Page
session_start()
// make sure user is logged in
if (!$_SESSION['username']) {
$loginError = "You are not logged in.";
include("index.php");
exit();
}
#4
Just redirect if there's no login $_SESSION, for example:
如果没有登录$ _SESSION,只需重定向,例如:
//on your protected pages
session_start();
if(!$_SESSION['logged']) {
header("location:login.php");
}
This is what my logout does:
这是我的注销:
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (isset($_COOKIE[session_name()])) {
setcookie(session_name(), '', time()-42000, '/');
}
// Finally, destroy the session.
session_destroy();
#5
I would suggest that you use HTTPS with SSL. You can close the SSL session and kick the user back out to a non-encrypted page.
我建议你使用HTTPS和SSL。您可以关闭SSL会话并将用户踢回非加密页面。
Most browsers implement caching schemes differently.
大多数浏览器以不同方式实现缓存方
For example, in Opera you can click Back and it will pull the page data directly from memory without sending any data to the server, even in the page has expired. If you hit Refresh, of course, your server would require the login.
例如,在Opera中,您可以单击“返回”,它将直接从内存中提取页面数据,而不会向服务器发送任何数据,即使页面已过期也是如此。如果您点击刷新,当然,您的服务器将需要登录。
In Internet Explorer, it's handled very differently and form data is resubmitted to the server.
在Internet Explorer中,处理方式非常不同,表单数据将重新提交给服务器。
#6
It might be your session_destroy() functions. Try this:
它可能是你的session_destroy()函数。试试这个:
unset($_SESSION);
Un-setting the $_SESSION variable will clear out anything stored here.
取消设置$ _SESSION变量将清除此处存储的任何内容。
Check out unset() on PHP.net
在PHP.net上查看unset()
#7
$_SESSION['blah'] = '';
This works too..
这也有效..
#8
<?
session_start();
if (!isset($_SESSION['username']) && !isset($_SESSION['password'])) {
header('Location:../index.php');
exit;
} else {
session_destroy();
}
?>
this really helps me .. paste this on every page or in the page where your logout is
这真的帮助我..将其粘贴到每个页面或您注销的页面中
<?php
session_start();
session_unset();
session_destroy();
header("Location:../index.php");
exit;
and as simple as this in destroying your session
在破坏你的会话时这很简单