I am currently setting up a website using a pay-wall type backend that you log into with Microsoft accounts. Currently, I am using PHP sessions to capture and track valid requests.
I have managed to completely destroy all session data saved on the server as well as rename and blank the session cookies (See code below). Unfortunately, this is not enough it seems. I can still access the page by passing the old session ID through GET variable and I can still load the page. I suspect it is a cached version. I have tried adding in php headders to prevent this but its still loading!
Log out code:
<?php
if ($_POST) {
session_start($_POST["SID"]);
$_SESSION[] = array();
setcookie( session_name(), "", time()-3600, "/" );
session_destroy();
session_write_close();
echo("Session ".$_POST["SID"]." has been destroyed");
}
?>
Header code:
<?php
header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");
?>
I was expecting to be able to hit the log out button and if I tried to manually access the page by supplying the old session id by GET command, I should have been bounced by the page. Is there any way to get around this? Maybe force the page to re-query the server (if I can just get it to ping the server again I believe my php should bounce the request? I say that with some hesitance hahaha)
EDIT:
Ok, so after a whole lot of debugging, I have narrowed the problem down too my $_SESSION["IS_AUTHORIZED"] variable? This shouldn't be possible but somehow, the standalone PHP script I wrote to destroy a session when the user logs out, can run the same session_id(), but somehow cannot access any of the session variables?! if I var_dump($_SESSION["IS_AUTHORIZED"]), it spits out NULL, whereas on all the other pages, it spits out the Boolean 0 or 1?!?!?! I am very confused... I guess this is why I cant properly remove the session?
Code:
<?php
if ($_POST) {
session_id($_POST["SID"]);
echo(session_id()); //comes out as same as session origin page
session_start();
echo("|||"); //to make payoad easier to read lol
echo($_SESSION["IS_AUTHORIZED"]); //nothing... and var_dump() is NULL?
?>
EDIT 2:
Oh lord. So now after some tinkering the stand-alone PHP script works and links up to the correct session_id() and I can do the whole session_destroy(), $_SESSION = array(); bit to clear the session info. Small problem though, if I refresh the HTML page with the session_id() as a GET variable, it still loads the page? Even says the `$_SESSION["IS_AUTHORIZED"] variable I supposedly just cleared in my stand-alone script is now back and reverted to before I cleared it? That literally defeats the entire point of using sessions? help please! ( I HATE php sessions so far oh my soul!)
