Logout doesn't really logout

[sizemore]

My osCommerce installation is almost ready to go, save for one detail. When a user is logged in and then chooses to logout, she is presented with the correct logout screen ("You have been logged off ...").

 

However, after this reported successful logout, clicking links on osCommerce pages shows that the user is still logged in -- you get the "welcome back, User!" message at the root page. However, the shopping cart itself seems to be correct -- after logging out the shopping cart is empty.

 

The only way I've been able to "force" the log out to look correct is to clear the cookies from my browser. Doing this and refreshing the catalog after logging out will show the "Welcome, Guest" as it should. Logging back in as the user will show that the shopping cart contains the correct items.

 

Details that may be helpful:

 

Sessions stored in database, i.e. define('STORE_SESSIONS', 'mysql');

 

Session config (from admin->configuration->sessions):

Session Directory /tmp

Force Cookie Use False

Check SSL Session ID False

Check User Agent False

Check IP Address False

Prevent Spider Sessions True

Recreate Session False

 

Using SSL for login, logout, etc.

Contributions installed: vger's fix for register globals (thanks, vger!!), template file (Futuristic Grey)

 

Any help would be greatly appreciated. I've read everything I could find in the docs and forums remotely related to the behavior I'm seeing, and scoured my configuration files and such desparately trying to find my mistake, all to no avail.

[♥Vger]

Sessions which are stored in the database automatically expire 23 minutes after the last click of the user on your website.

 

Vger

[sizemore]

Sessions which are stored in the database automatically expire 23 minutes after the last click of the user on your website.

 

Vger, thanks for the quick reply (and your many contributions in both code and help in general). I wonder if this behavior could be changed, so that sessions in the DB could expire later or forced to expire immediately?

 

Is there a configuration option to do this, or should I look at attempting to write my own contribution to osCommerce to do this?

 

Also, out of curiousity, do you know why 23 minutes? It seems an arbitrary number to me . . .

[♥Vger]

Actually it's 24 minutes, and it's the default setting for most php.ini files. It's found in these lines (quoted in seconds):

 

; After this number of seconds, stored data will be seen as 'garbage' and

; cleaned up by the garbage collection process.

session.gc_maxlifetime = 1440

 

This only occurs if sessions are stored in the database and not in files. If stored in files then you have to institute your own means of cleaning out old session data.

 

Vger

[sizemore]

Actually it's 24 minutes, and it's the default setting for most php.ini files. It's found in these lines (quoted in seconds):

 

; After this number of seconds, stored data will be seen as 'garbage' and

; cleaned up by the garbage collection process.

session.gc_maxlifetime = 1440

 

This only occurs if sessions are stored in the database and not in files. If stored in files then you have to institute your own means of cleaning out old session data.

 

Vger

 

Thanks for the information. However, after reading over the php.ini file and playing with a few settings, I do not think this is the cause of the behavior I want to change. Really, the logout behavior I want is to expire the session immediately when the user chooses "logout". I find I can do this manually by choosing "log off" (to update the database) and then deleting the cookie 'osCsid' from my browser (so my browser is no longer linked to the user's account in the database). How would I go about doing that second step from catalog/logoff.php (or anywhere else?)

[bgumpper]

Vger, thanks for the quick reply (and your many contributions in both code and help in general). I wonder if this behavior could be changed, so that sessions in the DB could expire later or forced to expire immediately?

 

Is there a configuration option to do this, or should I look at attempting to write my own contribution to osCommerce to do this?

 

Also, out of curiousity, do you know why 23 minutes? It seems an arbitrary number to me . . .

 

I'm having this same problem. Anybody can click a link and see that users data.

 

How can I move from the /tmp file storage to database storage? I know where to put in the path in admin but don't want to mess it up.

[sizemore]

I'm having this same problem. Anybody can click a link and see that users data.

 

How can I move from the /tmp file storage to database storage? I know where to put in the path in admin but don't want to mess it up.

 

Sounds like you need to change your configuration to store sessions in the database. In catalog/includes/configure.php, make sure you have

 

define('STORE_SESSIONS', 'mysql');

 

This is usually the last line of the file.

 

As to my own problem, I figured out the solution. I modified my logoff.php file slightly to be:

 

tep_session_unregister('customer_id');
tep_session_unregister('customer_default_address_id');
tep_session_unregister('customer_first_name');
tep_session_unregister('customer_country_id');
tep_session_unregister('customer_zone_id');
tep_session_unregister('comments');
$cart->reset();

// end session immediately at logoff
session_destroy();

 

This seems to have done the trick quite well -- users using the logout link have the session killed immediately, producing the behavior I wanted.

[bgumpper]

Sounds like you need to change your configuration to store sessions in the database. In catalog/includes/configure.php, make sure you have

 

define('STORE_SESSIONS', 'mysql');

 

Thanks but don't you have to set up a table in the SQL database?

 

What about the session path in admin that is currently /tmp?