Wow Miles

You certainly want to kill that session !!

Well done ;-)

Well I must admit I use a similiar tactic for user-leech session cookies:
function sessionKill() {
 global $SYSTEM,$DB;
mysql_query("delete from sys_activity where user_name='".$MEMBER["user_name"]."'",$DB);

I used to do all that seperate unset'ing of session var's, but then learnt it's useless and redundant.

Unset()'ing the session unregisters all attached variables.. hence what I want it to do. The mysql element is a system I use to "track" users logged into site.. Every page that they request on the system will insert a row into a table listing their user_name, page they are on and time they last hit that request.

That way I can display in their profile a list of last viewed pages, and also I can run a timeout "cron" like php job which purges out these "activity" entries after a set period [mine is 10 mins] which removes that entry from the table, that way the table only holds the most recent pages you have visited or been too..

In addition to this, I can also display when the user was last 'active' on the system by using the most recent timestamp in these entries..

As for the logout principle, I actually use that function above, with just a simple few lines in header source as follows:
if(isset($_GET["logout"])) {
 header("Location: http://".$_SERVER["HTTP_HOST"].$SYSTEM["WWW_ROOT";]);
exit(); //Purely a safe-guard, there is no reason the header function wouldn't work, but we don't want them to continue on regardless..

I use a fairly high integration of header and library files to generate content, and there is no non-dynamic page on the site, all of them refer to the headers, and various dozen or more include libraries so therefore they all parse a session.lib.php library that runs that above code and functions for handling, manipulating sessions etc..

Therefore any page you goto on the site regardless of existing GET or POST requests, as soon as a "logout" variable is set in the request URI then my system will pick it up before any further processing [my session handling lib is of course positioned fairly close to the start of the header initialisation as session functions obviously require sending HTTP header statements before content is generated to the HTTP client.] and simply kill the session and redirect them to a front page..

I use this in conjunction with a simple button on the login form [once you are logged in] or even a simple html anchor such as:
[ <A HREF="<?=$_SERVER["PHP_SELF"]?>?logout=1">Logout</A> ]

provides an easy escape. One click they're out..

And as I mentioned above, because the session will be unset all variables freed BEFORE any further processing, the header can continue initialising and when it reaches the content generation and layout formatting it will try accessing the now unset variables and draw up the default layouts [ie login form instead of post-login form, etc]

So smooth and elegant ;-)


---oOo--- Allowing users to execute CGI scripts in any directory should only be considered if: ... a.. You have no users, and nobody ever visits your server. ... Extracted Quote: Security Tips - Apache HTTP Server ---oOo--- ------oOo---------------oOo------ Julien Bonastre [The_RadiX] The-Spectrum Network CEO ABN: 64 235 749 494 [EMAIL PROTECTED] ------oOo---------------oOo------ ----- Original Message ----- From: "Miles Thompson" <[EMAIL PROTECTED]>
To: "PHP DB" <>
Sent: Saturday, December 10, 2005 8:44 AM
Subject: Re: [PHP-DB] Ending session

At 05:30 PM 12/9/2005, Ron Piggott (PHP) wrote:
How do you actually end $_session variables so the session actually

I found the session_write_close() command.  I am not sure if this is the
correct command or not.

One prime example I am using is a $_session variable to track which user
account is active.  I want to have a log off button which closes the
session off.



This may be overkill, but on a failed login I did not want the ckval variable hanging around in any form, hence:

        session_unregister( "ckval" );
        unset( $ckval );

Hope this helps - Miles
PHP Database Mailing List (
To unsubscribe, visit:

PHP Database Mailing List (
To unsubscribe, visit:

Reply via email to