""Michael A. Peters"" <mpeters@xxxxxxx> wrote in message news:49E41267.5010302@xxxxxxxxxx > scubak1w1 wrote: >> I have a series of web sites which use https:// authentication (using AD >> integration to 'check the credentials' as it were) - all seems to be >> working well.. >> >> I have been Googling et al. for a way to log the user off the site >> "fully"... >> >> >> I can do a series of things on the server side per Dreamweaver's Server >> Behaviour / User Authentication | Log Out User, etc - but the client's >> browser cache (?) still keeps the credentials, and so ifthey return to >> the site (say, with their back button) they can get right back in... > > Sounds like you are not properly expiring the session. > The only login credentials that ever should be stored with the client is a > session id. > > Expire the session id - and the session ID in their cookie becomes > completely meaningless. OK, I will go back and reread... My understanding was that SSL aka https was taking care of the credential checking using, in our case, Active Directory user entries - and that PHP was just grabbing the UID from that source - for instance, what I do is: //grab the logged on user, depending on whether they logged on with the domain prepended if(substr_count($_SERVER['REMOTE_USER'],"\\") != 0) { //the logon has a domain prepended before the 'actual' UID list($logged_on_domain, $logged_on_user) = split('\\\\', $_SERVER['REMOTE_USER']); //grab the logged on user off the IIS server variable/s, and split off the (presumed) "[domain]\" portion and essentially discard <--NOTE USE OF FOUR(4)backslashes as needs to be *double escaped* } else { //no domain (assume) prepended before the back slash, so just the 'actual' UID $logged_on_user = $_SERVER['REMOTE_USER']; }; I can set $_SERVER['REMOTE_USER'] = 'baddomain\baduser' of course - but when I return to the secure page the user's browser cache (?) has reset $_SERVER['REMOTE_USER'] to be their previously logged on user name - so they are still logged in... So maybe my "logging off" question is not really PHP-specific? Hmmm.... I will go back and reread various pages (paper and online) with your suggestion/s as the context - so thank you... Regards, GREG... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
