Wow Miles
You certainly want to kill that session !!
Well done ;-)
Well I must admit I use a similiar tactic for user-leech session cookies:
function sessionKill() {
global $SYSTEM,$DB;
mysql_query(delete from sys_activity where
user_name='.$MEMBER[user_name].',$DB);
session_unset();
}
I used to do all that seperate unset'ing of session var's, but then learnt
it's useless and redundant.
Unset()'ing the session unregisters all attached variables.. hence what I
want it to do.
The mysql element is a system I use to track users logged into site..
Every page that they request on the system will insert a row into a table
listing their user_name, page they are on and time they last hit that
request.
That way I can display in their profile a list of last viewed pages, and
also I can run a timeout cron like php job which purges out these
activity entries after a set period [mine is 10 mins] which removes that
entry from the table, that way the table only holds the most recent pages
you have visited or been too..
In addition to this, I can also display when the user was last 'active' on
the system by using the most recent timestamp in these entries..
As for the logout principle, I actually use that function above, with just a
simple few lines in header source as follows:
if(isset($_GET[logout])) {
sessionKill();
header(Location: http://.$_SERVER[HTTP_HOST].$SYSTEM[WWW_ROOT;]);
exit(); //Purely a safe-guard, there is no reason the header function
wouldn't work, but we don't want them to continue on regardless..
}
I use a fairly high integration of header and library files to generate
content, and there is no non-dynamic page on the site, all of them refer to
the headers, and various dozen or more include libraries so therefore they
all parse a session.lib.php library that runs that above code and functions
for handling, manipulating sessions etc..
Therefore any page you goto on the site regardless of existing GET or POST
requests, as soon as a logout variable is set in the request URI then my
system will pick it up before any further processing [my session handling
lib is of course positioned fairly close to the start of the header
initialisation as session functions obviously require sending HTTP header
statements before content is generated to the HTTP client.] and simply kill
the session and redirect them to a front page..
I use this in conjunction with a simple button on the login form [once you
are logged in] or even a simple html anchor such as:
[ A HREF=?=$_SERVER[PHP_SELF]??logout=1Logout/A ]
provides an easy escape. One click they're out..
And as I mentioned above, because the session will be unset all variables
freed BEFORE any further processing, the header can continue initialising
and when it reaches the content generation and layout formatting it will try
accessing the now unset variables and draw up the default layouts [ie login
form instead of post-login form, etc]
So smooth and elegant ;-)
Enjoy..
---oOo--- Allowing users to execute CGI scripts in any directory should only
be considered if: ... a.. You have no users, and nobody ever visits your
server. ... Extracted Quote: Security Tips - Apache HTTP
Server ---oOo--- --oOo---oOo-- Julien Bonastre
[The_RadiX] The-Spectrum Network CEO ABN: 64 235 749 494
[EMAIL PROTECTED]
www.the-spectrum.org --oOo---oOo--
- Original Message -
From: Miles Thompson [EMAIL PROTECTED]
To: PHP DB php-db@lists.php.net
Sent: Saturday, December 10, 2005 8:44 AM
Subject: Re: [PHP-DB] Ending session
At 05:30 PM 12/9/2005, Ron Piggott (PHP) wrote:
How do you actually end $_session variables so the session actually
ends?
I found the session_write_close() command. I am not sure if this is the
correct command or not.
One prime example I am using is a $_session variable to track which user
account is active. I want to have a log off button which closes the
session off.
Ron
Ron,
This may be overkill, but on a failed login I did not want the ckval
variable hanging around in any form, hence:
session_unregister( ckval );
unset($_SESSION[ckval]);
unset( $ckval );
session_destroy();
Hope this helps - Miles
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
