IE browser not terminating session even after logging out?

[eluser]novice32[/eluser]
I have CI application with multiple login accounts.

Whenever I login as USER1, and logout, and then log in as USER2, my USER1 session appears instead. However it works correctly if after logging out as USER1 I close the browser and relogin as USER2.

Is this expected behavior with IE 8 (and in compatibility mode)? As expected, Firefox and Chrome work as expected.

I store user session information in the database.

Please advise

Novice32

[eluser]ThijssjihT[/eluser]
overwrite data in the session: set username etc to '' when hitting the logout button. After that: $this->session->sess_destroy();

If you can't destroy the session, it isn't a solution, but it should be a temporary 'avoid-the-problem'.

[eluser]novice32[/eluser]
I believe I am performing what you suggested:

Code:

function Logout() {

        $this->session->unset_userdata('UserName');
        $this->session->sess_destroy();
        redirect('user/login');
    }

Please let me know if you have any other suggestions.

[eluser]WanWizard[/eluser]
Are you using cookies or the database backend for your sessions?

[eluser]novice32[/eluser]
I'm storing session info in the database.

[eluser]WanWizard[/eluser]
In that case a sess_destroy() removes the session record from the database, so that particular session can't be reloaded.

Can you do a var_dump($this->session->userdata) somewhere after loading the session library, and see what happens with the session_id and the other session variables when you login as USER1, logout, and login as USER2?

[eluser]novice32[/eluser]
I'm totally baffled. I tried vardump, which shows inconsistency in user2's session. I'm not sure what next to try. Here are the detailed steps:


Access user/login page:
ci_session table: '4e9c74ee3d328be6592514a983a56851', '0.0.0.0', 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1;', '1274041069', ''

After successful login (user1):
ci_session table: '4e9c74ee3d328be6592514a983a56851', '0.0.0.0', 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1;', '1274041069', 'a:1:{s:8:"UserName";s:16:"[email protected]";}'

var_dump($this->session->userdata):
{
["session_id"]=>
string(32) "4e9c74ee3d328be6592514a983a56851"
["ip_address"]=>
string(7) "0.0.0.0"
["user_agent"]=>
string(50) "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1;"
["last_activity"]=>
string(10) "1274041069"
["UserName"]=>
string(16) "[email protected]"
}



USER1 LOGOUT (which returns to user/login page):
ci_session table => empty


After successful login (user2):
ci_session table:
'f6602c15b2d391315800f948fbaf2116', '0.0.0.0', 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1;', '1274041383', 'a:1:{s:8:"UserName";s:19:"[email protected]";}'

var_dump($this->session->userdata):
{
["session_id"]=>
string(32) "4e9c74ee3d328be6592514a983a56851"
["ip_address"]=>
string(7) "0.0.0.0"
["user_agent"]=>
string(50) "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1;"
["last_activity"]=>
string(10) "1274041069"
["UserName"]=>
string(16) "[email protected]"
}

[eluser]1mr3yn[/eluser]
http://ellislab.com/codeigniter/user-gui...sions.html

[eluser]WanWizard[/eluser]
Care to elaborate how a link to the manual is helping here?

@novice32:

You are doing a redirect are you?
Because the session library contains an inconsistency, it reads the session record once, when you load the session. If in a single page request you destroy the session and create a new one, userdata will still contain the old values. Same for destroy, you would expect the userdata to be gone after a destroy, but it isn't.

[eluser]novice32[/eluser]
WanWizard, thanks for helping me on this. I'm new to CI, so hopefully I'm not missing something totally.

At the time of logout, I don't create another "database session" record (with UserName value) unless the user logs in again. Also, as mentioned in my original thread, this doesn't happen in Firefox and Chrome, only IE. I assume it's browser specific.

Should I be loading a view instead of redirecting?

Here's my code:

Code:

/*** User controller *****/

    function Logout() {

        $this->session->unset_userdata('UserName');
        $this->session->sess_destroy();
        redirect('user/login');
    }

    
    function login() {

        //if user is logged in, redirect to application
        if ($this->_UserLoggedIn()) {
            redirect('secure/myapp');
        }

        $this->form_validation->set_rules('email', 'Email Address', 'required|valid_email');
        $this->form_validation->set_rules('password', 'Password', 'required');
        $this->form_validation->set_rules('email', 'email', 'callback__login_valid');
        $this->form_validation->set_error_delimiters('<p class="error">', '</p>');

        if ($this->form_validation->run() == false) {
          
            $data['UserName'] = $this->session->userdata('UserName');
            $data['content'] = $this->load->view('login', null, true);
            $this->load->view('template', $data);
        }
        else {

            //if we get here, login_valid is true (from set_rules)or returned true
            $email    = $this->input->post('email');
            $password = $this->input->post('password');

            .....
          
            $this->session->set_userdata('UserName',$email);            
            redirect('secure/myapp');

        }
    }
    
    
    
    /***** Secure controller *****/
    
    public function myapp() {
        if ($this->logged_in()) {
            $this->load->view('myapp');
        }
        else {
            redirect('user/login');

        }
    }
    
    public function logged_in() {
        return ($this->session->userdata('UserName')) ? true : false;
    }