----- Original Message -----
From: "Sourabh G" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, July 13, 2003 11:15 AM
Subject: [PHP] Session Problem
> Hi,
>
> I am getting a weird session problem in my site.
>
> Background of the Problem:
> --------------------------
> My site use sessions for user authentication. Site has a Admin Panel where
> admin can search users and then through a link
>
> (which has login and password appended) login as user.
>
> On login as user, session var changes to the new user vars, like user id
> etc. So, if some one try to access any thing on
>
> admin panel, they get error which is quite evident why is that happened.
The
> login user is not a admin any more, its a normal
>
> user with no privilege.
>
> I came to a conclusion that if I spawn new browser window it takes old
> session. After trying for hours, I was able to solve
>
> this. I started a new session when I login as user by setting session name
> and storing the other vars. This way I can start
>
> the session as needed.
>
> After solving this problem I thought I am done. But some thing really
weird
> popped up. The links on the page, like "My
>
> Account", "Change Password" goes to admin when I click them. This looks
like
> on clicking the link, Old admin session becoming
>
> active and showing the page as a admin. I have no idea why is that
> happening. I have searched goggle but no result.
>
> Is it a browser issue, or php issue, or I am doing something wrong.
>
>
> * I have compiled PHP with trans-sid option.
> ** I store session in my sql database. I can see the user session active.
>
> Ideal Solution:-)
> ------------------
>
> When I search the user and login as user. Both admin and user session
remain
> alive and I can work on both windows seamlessly.
>
> Can Any one point me in the right direction.
>
> Thanks
This is a problem that many of us have had to deal with.. Session ID's
caching and revalidating when the back button is used or a page is
revisited. The solution is simple. Don't just destroy the Session, also
write over all variables within the session like this..
foreach($_SESSION as $key => $val)
{
$_SESSION[$key] = '';
}
The next time session_start() is called the session file will be emptied.
This will ensure that if you click the back button and the Session ID has
been cached the session file no longer contains any useful data and there is
no possibility that your Login script will revalidate the user.
Quite frankly I wouldn't even bother using session_destroy(). It doesn't
seem to do anything useful.
Good luck,
Kevin
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
