On Sat, Jul 19, 2008 at 3:56 PM, tedd <tedd@xxxxxxxxxxxx> wrote: > Hi gang: > > Nothing like trying to help someone to raise questions for yourself. > > Here's the problem: > > http://webbytedd.com/b1/simple-session/ > > This demo seems to work Okay. The user can't go anywhere unless they enter > 'guest' into the form -- after that, then they can go anywhere they want. > > I do this by simply taking a post variable and if its value is 'guest', I > then set a session variable 'ok' to 1. You can see this in the code, which > is highlighted at the end of each page. > > When the user leaves the script (via the More button in the top left > corner), they are directed back to my main index page which destroys ALL > sessions -- or -- so I thought. > sanity check, are you doing anything w/ $_SESSION['ok'] or the session at all on the webbytedd.com homepage? i dont think $_SESSION['ok'] is being set to 0, nor is the session being destroyed (unless youre doing something w/ it when building your webbytedd.com homepage). > Please follow, if a user goes to: > > http://webbytedd.com/b1/simple-session/ > > enters 'guest' travels the site, leaves, and returns -- they are presented > with another logon page, just like the first time. if i leave and return, im not redirected. i just get the page i ask for. for example, if i authenticate by entering 'guest' at the first page. then close the tab with your site, then open a new window (or tab) and paste in the url to one of the protected pages, like http://www.webbytedd.com/b1/simple-session/index2.php i go right to it, no redirect. because i havent hit any code to destroy the session, or change the value of $_SESSION['ok'] to 0. HOWEVER, if the user clicks any of the other pages (2-4) they are directed > back to the first page AND the ok session is magically set to 1 !!! I have > no idea why the session ok is set to 1. because $_SESSION['ok'] is never set to 0. > You can see that the session array and post array at the top of the page > are clearly both empty. But if the user clicks any of the other links the > session 'ok' is set to 1 !!! Where does that value come from??? > > Apparently, I am not destroying the session, even though I have tried every > example shown in the on-line manual -- and nothing works. with the current auth code i see nothing that would destroy the session (although im sure youve been through other things as you mentioned). but if you want to destroy it, i would do something like, session_unset() and then this bit from the manual (if propagating w/ cookies [which i can see in my browser so i know thats the case in this example]), // If it's desired to kill the session, also delete the session cookie. // Note: This will destroy the session, and not just the session data! if (isset($_COOKIE[session_name()])) { setcookie(session_name(), '', time()-42000, '/'); } and anyway, if youve been putting these different things in the block of code where youre currently setting $_SESSION['ok'] to 0, thats why they arent working. as far as this code in the auth file $ok = isset($_SESSION['ok']) ? $_SESSION['ok'] : 0; $_SESSION['ok'] is always going to be 1 after they authenticate, so the block to set $_SESSION['ok'] to 0 and redirect them will never be hit. if you put something like <?php session_start(); $_SESSION['ok'] = 0; at the top of webbytedd.com, i think it will work the way you expect it to. and then you can remove the statement in the auth file that sets $_SESSION['ok'] to 0, because its only ever going to be hit if the user isnt already authenticated, meaning its not really doing much, but maybe an initialization in the case where it isnt set (eg. first visit to one of the protected pages). -nathan