Website Membership - Logoff
4 posts by 2 authors in: Forums > CMS Builder: Plugins & Add-ons
Last Post: June 15, 2011 (RSS)
By pothompson - June 14, 2011
I've found an issue with a site I'm working on that has the Website Membership installed.
For parts of the site to work, I'm relying on the $_SESSION array but have found that if somebody logs off, or enters and incorrect login for a login form attached to the Website Membership plugin, a function is invoked called 'user_eraseLoginSession', found in login_functions.php
The function is as follows:
function user_eraseLoginSession() {
if ($_SESSION) { session_destroy(); }
$_SESSION = array();
$CURRENT_USER = false;
}
The problem as I see it is that this removes the entire session and so any other session variables that were stored are also lost.
Is there a way that this function can be changed so as just to remove the relevant session variables?
Thanks, Paul.
For parts of the site to work, I'm relying on the $_SESSION array but have found that if somebody logs off, or enters and incorrect login for a login form attached to the Website Membership plugin, a function is invoked called 'user_eraseLoginSession', found in login_functions.php
The function is as follows:
function user_eraseLoginSession() {
if ($_SESSION) { session_destroy(); }
$_SESSION = array();
$CURRENT_USER = false;
}
The problem as I see it is that this removes the entire session and so any other session variables that were stored are also lost.
Is there a way that this function can be changed so as just to remove the relevant session variables?
Thanks, Paul.
Re: [pothompson] Website Membership - Logoff
By Jason - June 14, 2011
Hi,
You're right, the logoff functions do completely erase the $_SESSION array. There are a couple of function calls within the plugin that will trigger this:
- user_logoff()
- user_eraseLoginSession()
What you can do is customize your plugin code to not use these functions. Instead you can set the $CURRENT_USER array to false and empty the username and passwordHash $_SESSION elements your self.
For example:
There are some important things to note here:
1) In every function that you do this in, you need the code global $CURRENT_USER; at the top in order to be able to access the $CURRENT_USER variable.
2)This customization is untested and may cause other problems. It might be a good idea to see if you can customize your other code to not use the $_SESSION array.
Hope this helps.
You're right, the logoff functions do completely erase the $_SESSION array. There are a couple of function calls within the plugin that will trigger this:
- user_logoff()
- user_eraseLoginSession()
What you can do is customize your plugin code to not use these functions. Instead you can set the $CURRENT_USER array to false and empty the username and passwordHash $_SESSION elements your self.
For example:
// remove login cookies
function _websiteLogin_logoff() {
global $CURRNET_USER;
// get logoff url
if ($GLOBALS['WEBSITE_LOGIN_POST_LOGOFF_URL']) {
$logoffUrl = $GLOBALS['WEBSITE_LOGIN_POST_LOGOFF_URL'];
}
else {
$logoffUrl = thisPageUrl();
$logoffUrl = preg_replace('/\baction=logoff\b/', '', $logoffUrl); // prevent redirect loop
}
// logoff and redirect
//user_logoff($logoffUrl);
$CURRNET_USER = false;
$_SESSION['username'] = "";
$_SESSION['passwordHash'] = "";
redirectBrowserToURL($logoffUrl);
exit;
}There are some important things to note here:
1) In every function that you do this in, you need the code global $CURRENT_USER; at the top in order to be able to access the $CURRENT_USER variable.
2)This customization is untested and may cause other problems. It might be a good idea to see if you can customize your other code to not use the $_SESSION array.
Hope this helps.
---------------------------------------------------
Jason Sauchuk - Project Manager
interactivetools.com
Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/
Jason Sauchuk - Project Manager
interactivetools.com
Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/
Re: [Jason] Website Membership - Logoff
By pothompson - June 14, 2011
Hi Jason,
Thanks for the reply. It's pretty much what I've done, I've created a new function as follows:
function _websiteLogin_user_eraseLoginSession() {
@$_SESSION['wl_username'] = '';
@$_SESSION['wl_passwordHash'] = '';
@$LOGGED_IN = false;
}
And I call this from the plugin instead of calling the standard _user_eraseLoginSession().
However, my concern is why you're destroying the session completely as opposed to just initialising the variable like I've done. Is there a reason for this?
I understand what you say about re-coding to not use session variables but I think the issue centres more around the _user_eraseLoginSession() code removing more than just the login session. I often inherit code from existing sites and re-coding isn't likely to be practical.
Thanks, Paul.
Thanks for the reply. It's pretty much what I've done, I've created a new function as follows:
function _websiteLogin_user_eraseLoginSession() {
@$_SESSION['wl_username'] = '';
@$_SESSION['wl_passwordHash'] = '';
@$LOGGED_IN = false;
}
And I call this from the plugin instead of calling the standard _user_eraseLoginSession().
However, my concern is why you're destroying the session completely as opposed to just initialising the variable like I've done. Is there a reason for this?
I understand what you say about re-coding to not use session variables but I think the issue centres more around the _user_eraseLoginSession() code removing more than just the login session. I often inherit code from existing sites and re-coding isn't likely to be practical.
Thanks, Paul.
Re: [pothompson] Website Membership - Logoff
By Jason - June 15, 2011
Hi Paul,
The reason we're destroying the entire $_SESSION array is to be as secure as possible. You are right, however, as it does cause problems if you are storing other pieces of information in the $_SESSION array. This is something we can look at changing for a future release.
Thanks
The reason we're destroying the entire $_SESSION array is to be as secure as possible. You are right, however, as it does cause problems if you are storing other pieces of information in the $_SESSION array. This is something we can look at changing for a future release.
Thanks
---------------------------------------------------
Jason Sauchuk - Project Manager
interactivetools.com
Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/
Jason Sauchuk - Project Manager
interactivetools.com
Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/