Welcome Guest, Not a member yet? Register   Sign In
Session expiring right after action

So I just recently experienced this.

I have a secure area where admin logs in.

I was calling the delete method on a user account and after the delete the session expired and I was logged out.

Now usually this wouldn't be a big deal, but I started thinking what if I had a redirect that sent me to another page, or method. For example a multiple page form.

Any words of wisdom?

How to stop this?

I'm not exactly clear on what you are trying to stop. But if I understand you correctly, you deleted another user by calling a delete method in your controller and you were logged out?

Question: Does the delete method call $this->session->sess_destroy() by chance?

Sorry for not being 100% clear.

what happened, is I called a method which just happened to be a delete user method.

Upon clicking the link, the system logged me out (session I guess had expired) but the delete was still executed. You need to be logged in to do anything, so I'm not sure why that happened.

After this happened I was like WTF, so I copied and pasted a link to the method with another user id while not logged in, and it did not execute. This is how it should work, so my issue is why did the previous delete work. Was I not logged out till the method was called? Was this just a rare 1 in a million chance where everything happened.

Ah, I understand now. I wrote a post awhile back that explains this if you want to search.

in a nutshell...

If you have session checking code that redirects using a header only, you simply output a header. That does nothing to stop the rest of the code below it from executing. You must either exit(), die(), or in the case of a method call return. In many cases this is as easy as putting the return/exit/die code in the method you use to check if the user is still logged in.


i'll try to find your post, and yes that would explain it 100%

Theme © iAndrew 2016 - Forum software by © MyBB