Hi,

I have one of those questions that can either be extremely complicated or extremely easy, depending on the approach. To start off, I am creating a feature on my website that requires the user to create an account and login to access it. Once the user is logged in, they stay logged in because a cookie is saved, which tells the site to display different things and give them access to their account based on the cookie's information. Like most websites that have you create an account, there are two main pages: the main log in and sign up page, and in this case the "song manager," which is the page that can only be accessed after the user logs in. Right now, the user is able to log in and log out perfectly fine by just creating a cookie and then deleting it, but the problem is that, after the user logs out, they are still able to access their account on the "song manager" page if they just go to the URL of that page, which is a BIG no no. But once I hit the refresh button, it correctly locks me out, so it is obviously a cache problem. In an attempt to fix it, I have already tried a couple of approaches.

First approach:



This fixes the main problem, however, in the "song manager" I have buttons that process a form through another php page, which then includes the "song manager" page through a code like:



The problem there is that, when I submit a form from the "song manager" page to the processing page, it submits successfully, but I also get errors that say:

Warning: Cannot add header information - headers already sent by (output started at /www/cgi/testchange.php:76) in /www/cgi/songmanager.php on line 6

I know this is because the "song manager" page is trying to add headers within testchange.php, but it can't, so I can't go with the "header(..."


Second approach:

Since the error was corrected when I hit the refresh button, I also tried making the page refresh once automatically when the page loaded. It's not exactly the smoothest way to handle it, but it was worth a try. My code looked something like this:



That was basically the method I used to refresh, but even with this method, it still came down to a cache problem.

So, to make a long story short, is there a way to clear the cache without using the php "header" in order to avoid the errors when the page is included in another page? If not, is there any way to fix this problem so that it actually keeps you out of the "song manager" when you log out?

Perhaps another method that I haven't tried is generating a random number and passing it through the URL every time the page is loaded to trick the computer into thinking it's a different page, but I'm afraid that people will be able to go back and load the page with a previous random number value, which will load the saved cache and mess it all up!


Thanks for any help.

Ok, I know I posted this just recently, but I just tried something that seems to work. If I use ajax in place of all the include() functions in my pages that include the main "song manager" page, I don't get the errors when I clear the cache through the PHP headers in all the pages because ajax is not calling the page through PHP. It seems to work fine so far, but does anyone know if there are any conflicts between PHP and ajax that I should know about?

As far as I know, there's no conflicts.

The 'headers already sent' message can be averted if you use buffer functions such as with ob_start and ob_end_flush.

I'm not sure how you implement your login system, but a cache problem is kind of rare. It's usually something with the code. Make sure the logout page redirects somewhere like the login page. Also be sure to double check the authentication code for your private pages. If you can still change settings and whatnot, it's most probably a code problem.

See if you can get a cookie viewer such as some offered by Firefox to see if the cookies are being deleted properly. As well, it might be preferable to look into using sessions if you don't use them already, since cookies by themselves don't offer as much security.

Since I started using ajax, the cache problem seems to stay away, so I think I'll stick with it for now, but I will probably research buffer functions a little more. As for using sessions, I started experimenting with them but had a difficult time figuring out how to control them. Can I have sessions remember a user for a specified amount of time like a cookie? And will the user still be remembered if they restart their computer? I also read that sessions are saved until the user closes his or her browser window, but this did not work for me when I tried it. What can I do or not do with a session, in comparison with a cookie?

To do this with sessions is fairly simple. First you create a page (mine is called login_check.php)



Then your login page (yours will be more extravagant than this, I just created a simple, fast one)



Then just add this to every page that must be secured



To end a session you can do it one of 2 ways (shown below)



Just use one of the above samples for ending a session when the user clicks the logout link.

Hope this helps

Happy Coding!

This post has been edited by PsychoCoder: 5 Aug, 2007 - 12:02 AM

Yes, that helps a lot. Thanks. It looks a little different from what I'm used to, but now at least I have something to work with

You shouldn't supply code until the they've shown some effort in the area of their question.

You can read all about sessions at php.net/sessions and related pages on google

You can also read about changing settings like cookie lifetime at php.net/session_set_cookie_params

This post has been edited by Styx: 11 Aug, 2007 - 10:40 AM

Actually if you look at his first post in this thread he did supply some code, and explained very well what his problem was and what he had attempted in order to fix his issue. I merely pushed him in the right direction.

Had I felt he was just looking for a quick answer, and hadn't done anything to research and solve the problem I wouldn't have supplied any code

P.S: I know the rules of the forum

This post has been edited by PsychoCoder: 11 Aug, 2007 - 10:44 AM

He didn't supply code concerning sessions though. You went ahead and wrote most of that for him.

I chose to do it to show him an alternative way of doing something. He didn't ask for code in his post, in fact my suggestion was completely different than what he was trying (he was trying cookies and I showed him that working with sessions was probably better for what he wanted).

He was looking for help with a specific error he was receiving in his attempt to use cookies, I felt it necessary to show him what I felt was a better way to do things. Its called giving back to the programming community, its called giving back what was freely given to me when I started programming, and I personally don't have or see a problem with that

P.S: Your concerns and suggestions have been noted

A simple link to the php.net sessions page or a tutorial would have been sufficient rather than holding his hand and taking him through the thing.

But nevermind, it's not something worth arguing over