""Michael A. Peters"" <[email protected]> wrote in message
news:[email protected]...
> scubak1w1 wrote:
>> I have a series of web sites which use https:// authentication (using AD
>> integration to 'check the credentials' as it were) - all seems to be
>> working well..
>>
>> I have been Googling et al. for a way to log the user off the site
>> "fully"...
>>
>>
>> I can do a series of things on the server side per Dreamweaver's Server
>> Behaviour / User Authentication | Log Out User, etc - but the client's
>> browser cache (?) still keeps the credentials, and so ifthey return to
>> the site (say, with their back button) they can get right back in...
>
> Sounds like you are not properly expiring the session.
> The only login credentials that ever should be stored with the client is a
> session id.
>
> Expire the session id - and the session ID in their cookie becomes
> completely meaningless.
OK, I will go back and reread...
My understanding was that SSL aka https was taking care of the credential
checking using, in our case, Active Directory user entries - and that PHP
was just grabbing the UID from that source - for instance, what I do is:
//grab the logged on user, depending on whether they logged on with the
domain prepended
if(substr_count($_SERVER['REMOTE_USER'],"\\") != 0)
{
//the logon has a domain prepended before the 'actual' UID
list($logged_on_domain, $logged_on_user) = split('\\\\',
$_SERVER['REMOTE_USER']); //grab the logged on user off the IIS server
variable/s, and split off the (presumed) "[domain]\" portion and essentially
discard <--NOTE USE OF FOUR(4)backslashes as needs to be *double escaped*
}
else
{
//no domain (assume) prepended before the back slash, so just the
'actual' UID
$logged_on_user = $_SERVER['REMOTE_USER'];
};
I can set $_SERVER['REMOTE_USER'] = 'baddomain\baduser' of course - but when
I return to the secure page the user's browser cache (?) has reset
$_SERVER['REMOTE_USER'] to be their previously logged on user name - so they
are still logged in...
So maybe my "logging off" question is not really PHP-specific? Hmmm....
I will go back and reread various pages (paper and online) with your
suggestion/s as the context - so thank you...
Regards,
GREG...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
