CODEWITHSUNDEEP
phpsession
Phong
Phong

Reputation: 85

How to delete session of The HTTP_USER_AGENT

In order to increase the security for the logged-in users, after the session_start(); and assigning the other session variables, I also try to store the HTTP_USER_AGENT value, using $_SESSION['agent'] = md5($_SERVER['HTTP_USER_AGENT']); for the login.php page.

Besides, in the login.php page, I redirect logged-in users to the home page if they try to visit it again without logging it out first, using the conditional like this:

if (isset($_SESSION['agent']) OR ($_SESSION['agent'] = md5($_SERVER['HTTP_USER_AGENT']) ) ) {

//redirect to home page
header('location:http://index.php.com');
exit();
}

The question is that in my logout.php page I code the conditional like this:

if (!isset($_SESSION['agent']) OR ($_SESSION['agent'] != md5($_SERVER['HTTP_USER_AGENT']) ) ) {

//Redirect to home page

}else{
$_SESSION = array(); // Destroy the variables.
session_destroy(); // Destroy the session itself.
setcookie (session_name(), '', time()-3600); // Destroy the cookie.
}

Then I came back to visit the login.php page again as a logged-in user (session has been set), it still redirected me to the home page.

Then I tried deleting the cookies in the FF browser, close it, then revisited the login.php page, it still redirected me.

Do you know what I was wrong or missing?

NOTE: I have no problem to destroy the session if not storing **the HTTP_USER_AGENT

Upvotes: 0

Views: 717

Answers (1)

Firewizz
Firewizz

Reputation: 813

You have an assignment where you want to check.

Change:

if (isset($_SESSION['agent']) OR ($_SESSION['agent'] = md5($_SERVER['HTTP_USER_AGENT']) ) ) {

to 

if (isset($_SESSION['agent']) OR ($_SESSION['agent'] == md5($_SERVER['HTTP_USER_AGENT']) ) ) {

off topic security tip(maybe helpfull):

public function Start_Secure_Session()
{
    // Forces sessions to only use cookies.
    ini_set('session.use_only_cookies', 1);

    // Gets current cookies params
    $cookieParams = session_get_cookie_params();

    // Set Cookie Params
    session_set_cookie_params($cookieParams["lifetime"],      $cookieParams["path"], $cookieParams["domain"], $this->isHTTPS, $this-  >deny_java_session_id);
    // Sets the session name
    session_name($this->session_name);

    // Start the php session
    session_start();

    // If new session or expired, generate new id
    if (!isset($_SESSION['new_session']))
    {
        $_SESSION['new_session'] = "true";

        // regenerate the session, delete the old one.
        session_regenerate_id(true);
    }
}

Upvotes: 1

Related Questions