Welcome Guest, Not a member yet? Register   Sign In
Destroyed session data reappearing after redirect
#1

[eluser]Andy Ingham[/eluser]
Hi All,

I have a problem whereby a deleted session is reappearing after a redirect (to a completely different domain) has taken place.

I'm using CI sessions, stored on a database. After inserting numerous debug statements I've identified problem as follows:

1. When user logs out it's calling following controller function:

Code:
function index() {
        $this->User_m->logout();
        redirect('/login');
    }

...the User_m model function being as follows:

Code:
function logout() {
            $this->user_id = $this->displayname = $this->shipZone = $this->fullname = $this->telephone = $this->username
                 = $this->address_line_1 = $this->address_line_2 = $this->city = $this->county = $this->postcode
                 = $this->country = $this->distributor_id = $this->level = '';
        $this->session->userdata = array();  
        $this->session->sess_destroy();
            return;        
    }

2. The above code is working fine and the user is redirected to the main 'login' controller. This also works fine, but there is some processing in the login processing which identifies that the the user actually needs to login using a 'master' system, and does a redirect to this (which is on a completely different domain).

3. The redirect itself works fine, but I've noticed that when the redirect executes the previous session details details 'reappear' (albeit under a different session id).

4. This is a security problem as the user can then type in the URL of the home page and can get straight back into the system without having to login again.

Absolutely baffled by this and any help much appreciated.

Andy
#2

[eluser]InsiteFX[/eluser]
Try this:
Code:
redirect('/login', 'refresh');

InsiteFX
#3

[eluser]Andy Ingham[/eluser]
Many thanks for the response InsiteFX. I thought I'd replied on Friday, but mustn't have actually hit the button!

Unfortunately the 'refresh' option didn't help. I tried it on the '/login' redirect and also on the redirect to the 'master system' login, which is the one actually causing the problem.

Any further ideas greatly appreciated....
#4

[eluser]Andy Ingham[/eluser]
Update: It looks as though this behaviour is dependent on which URL I redirect to: if I redirect to a completely different URL (e.g. Guardian website!) then I don't see this behaviour, so I'm now going to discuss with the architect of the 'master system' that I'm redirecting to.
#5

[eluser]Andy Ingham[/eluser]
In the end I found out that the 'master system' that was being called automatically re-loggedin, so a new session is actually being created rather than the destroyed session re-appearing!

This is all part of an SSO (single-sign-on) mechanism.

Apologies for this being a bit of a non-issue.




Theme © iAndrew 2016 - Forum software by © MyBB