Main
Index 		Search
Posts 		Who's
Online 		Log
In

Home: Products: CMS Builder: Plugins & Add-ons:
Website Membership - Logoff

 
 


pothompson
User

Jun 14, 2011, 5:01 AM

Post #1 of 4 (1092 views)
Shortcut
Website Membership - Logoff Can't Post
I've found an issue with a site I'm working on that has the Website Membership installed.

For parts of the site to work, I'm relying on the $_SESSION array but have found that if somebody logs off, or enters and incorrect login for a login form attached to the Website Membership plugin, a function is invoked called 'user_eraseLoginSession', found in login_functions.php

The function is as follows:

function user_eraseLoginSession() {
if ($_SESSION) { session_destroy(); }
$_SESSION = array();
$CURRENT_USER = false;
}

The problem as I see it is that this removes the entire session and so any other session variables that were stored are also lost.

Is there a way that this function can be changed so as just to remove the relevant session variables?

Thanks, Paul.


Jason
Staff / Moderator


Jun 14, 2011, 10:22 AM

Post #2 of 4 (1080 views)
Shortcut
Re: [pothompson] Website Membership - Logoff [In reply to] Can't Post
Hi,

You're right, the logoff functions do completely erase the $_SESSION array. There are a couple of function calls within the plugin that will trigger this:
- user_logoff()
- user_eraseLoginSession()

What you can do is customize your plugin code to not use these functions. Instead you can set the $CURRENT_USER array to false and empty the username and passwordHash $_SESSION elements your self.

For example:

Code
// remove login cookies 
function _websiteLogin_logoff() { 
  global $CURRNET_USER; 
   
  // get logoff url 
  if ($GLOBALS['WEBSITE_LOGIN_POST_LOGOFF_URL']) { 
    $logoffUrl = $GLOBALS['WEBSITE_LOGIN_POST_LOGOFF_URL']; 
  } 
  else { 
    $logoffUrl = thisPageUrl(); 
    $logoffUrl = preg_replace('/\baction=logoff\b/', '', $logoffUrl); // prevent redirect loop 
  } 
 
  // logoff and redirect 
  //user_logoff($logoffUrl); 
   
  $CURRNET_USER = false; 
  $_SESSION['username']     = ""; 
  $_SESSION['passwordHash'] = ""; 
  redirectBrowserToURL($logoffUrl); 
  exit; 
}

There are some important things to note here:
1) In every function that you do this in, you need the code global $CURRENT_USER; at the top in order to be able to access the $CURRENT_USER variable.
2)This customization is untested and may cause other problems. It might be a good idea to see if you can customize your other code to not use the $_SESSION array.

Hope this helps.
---------------------------------------------------
Jason Sauchuk - Programmer 
interactivetools.com

Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/ 


pothompson
User

Jun 14, 2011, 11:04 AM

Post #3 of 4 (1075 views)
Shortcut
Re: [Jason] Website Membership - Logoff [In reply to] Can't Post
Hi Jason,

Thanks for the reply. It's pretty much what I've done, I've created a new function as follows:

function _websiteLogin_user_eraseLoginSession() {
@$_SESSION['wl_username'] = '';
@$_SESSION['wl_passwordHash'] = '';
@$LOGGED_IN = false;
}

And I call this from the plugin instead of calling the standard _user_eraseLoginSession().

However, my concern is why you're destroying the session completely as opposed to just initialising the variable like I've done. Is there a reason for this?

I understand what you say about re-coding to not use session variables but I think the issue centres more around the _user_eraseLoginSession() code removing more than just the login session. I often inherit code from existing sites and re-coding isn't likely to be practical.

Thanks, Paul.


Jason
Staff / Moderator


Jun 15, 2011, 10:19 AM

Post #4 of 4 (1014 views)
Shortcut
Re: [pothompson] Website Membership - Logoff [In reply to] Can't Post
Hi Paul,

The reason we're destroying the entire $_SESSION array is to be as secure as possible. You are right, however, as it does cause problems if you are storing other pieces of information in the $_SESSION array. This is something we can look at changing for a future release.

Thanks
---------------------------------------------------
Jason Sauchuk - Programmer 
interactivetools.com

Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/