Posted by Kezepema on 06/30/05 02:52

That must be the answer!

I have only
session_unset();
session_destroy();
without session_start();

Thanks a lot!!
The reason for the second thread, was that my news client (Thunderbird)
raised an exception at the very moment when I sent the first thread. I
could not find the thread afterwards, so I posted it again.

Regards, Kees Epema



Stefan Rybacki wrote:

> Kezepema wrote:
>
>> Hi,
>> On my -dutch- site http://groteboodschap.abc26.nl,
>> <http://groteboodschap.abc26.nl>I'm working with sessions.
>>
>> The php manual points, that whenever I call 'session_unset' and
>> 'session_destroy', all session variables should have been erased.
>> So, I coded these instructions into the login form. Everytime a user
>> clicks the "Login" button, the session_unset and session_destroy
>> commands are executed.
>> The goal of this is to prevent a user entering certain parts of the
>> site without logging in.
>> Therefore I included this code in all pages that are part of the
>> 'authorized' zone:
>>
>> /if(!isset($_SESSION['MySession']))die("<p class='error'>Session
>> terminated.</p> <a href='login.php'>Please log in</a>");/
>>
>> However, when I login, and after that log out, I still can reach the
>> 'forbidden' pages.
>>
>> What am I doing wrong?
>>
>> Thanks, Kees Epema
>>
>>
> First you should post all of the related code.
>
> Your code should look like this at script start:
>
> session_start();
>
> if (!isset($_SESSION['...'])) {
> print("whatever you want");
> exit();
> }
>
> //Here the forbidden page code
>
>
>
>
> and the logout.php should look like this:
>
> session_start();
>
> session_destroy();
>
>
> Do you have this above?
>
> Regards
> Stefan

[Back to original message]