Re: [PHP] Logging out of a SSL / https:// site using PHP? (or JS?), Client Side Cache

Tue, 14 Apr 2009 11:05:05 -0700 

""Michael A. Peters"" <mpet...@mac.com> wrote in message 
news:49e41267.5010...@mac.com...
> scubak1w1 wrote:
>> I have a series of web sites which use https:// authentication (using AD 
>> integration to 'check the credentials' as it were) - all seems to be 
>> working well..
>>
>> I have been Googling et al. for a way to log the user off the site 
>> "fully"...
>>
>>
>> I can do a series of things on the server side per Dreamweaver's Server 
>> Behaviour / User Authentication | Log Out User, etc - but the client's 
>> browser cache (?) still keeps the credentials, and so ifthey return to 
>> the site (say, with their back button) they can get right back in...
>
> Sounds like you are not properly expiring the session.
> The only login credentials that ever should be stored with the client is a 
> session id.
>
> Expire the session id - and the session ID in their cookie becomes 
> completely meaningless.

OK, I will go back and reread...

My understanding was that SSL aka https was taking care of the credential 
checking using, in our case, Active Directory user entries - and that PHP 
was just grabbing the UID from that source - for instance, what I do is:

//grab the logged on user, depending on whether they logged on with the 
domain prepended
  if(substr_count($_SERVER['REMOTE_USER'],"\\") != 0)
   {
    //the logon has a domain prepended before the 'actual' UID
    list($logged_on_domain, $logged_on_user) = split('\\\\', 
$_SERVER['REMOTE_USER']); //grab the logged on user off the IIS server 
variable/s, and split off the (presumed) "[domain]\" portion and essentially 
discard <--NOTE USE OF FOUR(4)backslashes as needs to be *double escaped*
   }
   else
   {
    //no domain (assume) prepended before the back slash, so just the 
'actual' UID
    $logged_on_user = $_SERVER['REMOTE_USER'];
   };

I can set $_SERVER['REMOTE_USER'] = 'baddomain\baduser' of course - but when 
I return to the secure page the user's browser cache (?) has reset 
$_SERVER['REMOTE_USER'] to be their previously logged on user name - so they 
are still logged in...

So maybe my "logging off" question is not really PHP-specific? Hmmm....

I will go back and reread various pages (paper and online) with your 
suggestion/s as the context - so thank you...

Regards,
GREG... 



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to