hi all,
well i m facing problem with the sessions in PHP.
i m developing PHP based MTP , for which i require session info to be passed between diff php files.
my first prob is related with security, when i create a session my session info is kept in a file in /tmp and is accessible by root. i want to restrict root to access this info as it contains some secured information.

my second prob is when i log out of my service, a logout script is called that will unregister variables and destroy sessions but when i click the back button in my browser, browser displays the prev page, ie page which can only be accessible by authorized user.

i will appriciate ur help
thanx in advance

First of all, you can choose where your session file is saved, check the php.ini file for the session path variable. You can than restrict access to the folder you choose to save your sessions in.

Second question: on the 'secured' page, you could always check if a certain session variable is present and if it isn't, redirect the user to a different page.

Hi -
For your first problem, I'd say move that session directory to somewhere else than just /tmp , like somewhere just outside your document root. (Edit your php.ini file like mentioned above). root owns, you can't prevent root from doing anything, so locking down a file from him isn't possible.(without something like a pbmaster type of root-management system, I'm not sure) You can however, lock out just about anyone else, so set permissions on the directory your writing them too. Just make sure whatever user apache is running as for your site, has permissions.

For the second problem, take a look at 'no-cache headers'.
In php, I believe: header("Pragma: no-cache");
that'll tell the browser (and proxies) not to cache your data. You can force a refresh of the secure page right after the logout, forcing the browser to re-request from the server. The server will deliver a new version of that page (the 'i'm logged out version') , rewriting it's cache.

I don't claim these are the only solutions, nor that they are note-perfect. Search for 'no-cache header' on google and read up.
Hope that helps.

I don't think it's a question of cache here, I think sashhoney just doesn't want the page to be displayed again when a user has logged out. So not even without session data. That is why I suggested checking a session variable.

But maybe I misunderstood the question, that's possible too.

Yeah, I'm not sure then that I understand it completely either.

The problem with checking a session variable is that
the check is server-side. When the user hits 'Back',
the browser is delivering the cached version. There is
no data sent to the server for it to verify.
Don't get me wrong, checking sessions is the way I prefer to do things. However, a user having access to page they
just logged out of is not big concern for me in most of my applications. He just seems to be particulary concerned about
this, so that's my suggestion.

My mistake. Indeed, if the user hits back the server will never get the chance to check the session because the page is loaded from cache.

So disabling the cache in php.ini should work (as Sliptwixt already suggested).

hi
thanx for giving this suggestion
i went through php.ini and modify session entries and
also i used 'Cache control' with header function.
now the problem is solved
thanx again

You're very welcome.