Website Membership - Logoff

4 posts by 2 authors in: Forums > CMS Builder: Plugins & Add-ons
Last Post: June 15, 2011   (RSS)

By pothompson - June 14, 2011

I've found an issue with a site I'm working on that has the Website Membership installed.

For parts of the site to work, I'm relying on the $_SESSION array but have found that if somebody logs off, or enters and incorrect login for a login form attached to the Website Membership plugin, a function is invoked called 'user_eraseLoginSession', found in login_functions.php

The function is as follows:

function user_eraseLoginSession() {
if ($_SESSION) { session_destroy(); }
$_SESSION = array();
$CURRENT_USER = false;
}

The problem as I see it is that this removes the entire session and so any other session variables that were stored are also lost.

Is there a way that this function can be changed so as just to remove the relevant session variables?

Thanks, Paul.

Re: [pothompson] Website Membership - Logoff

By Jason - June 14, 2011

Hi,

You're right, the logoff functions do completely erase the $_SESSION array. There are a couple of function calls within the plugin that will trigger this:
- user_logoff()
- user_eraseLoginSession()

What you can do is customize your plugin code to not use these functions. Instead you can set the $CURRENT_USER array to false and empty the username and passwordHash $_SESSION elements your self.

For example:

// remove login cookies
function _websiteLogin_logoff() {
global $CURRNET_USER;

// get logoff url
if ($GLOBALS['WEBSITE_LOGIN_POST_LOGOFF_URL']) {
$logoffUrl = $GLOBALS['WEBSITE_LOGIN_POST_LOGOFF_URL'];
}
else {
$logoffUrl = thisPageUrl();
$logoffUrl = preg_replace('/\baction=logoff\b/', '', $logoffUrl); // prevent redirect loop
}

// logoff and redirect
//user_logoff($logoffUrl);

$CURRNET_USER = false;
$_SESSION['username'] = "";
$_SESSION['passwordHash'] = "";
redirectBrowserToURL($logoffUrl);
exit;
}


There are some important things to note here:
1) In every function that you do this in, you need the code global $CURRENT_USER; at the top in order to be able to access the $CURRENT_USER variable.
2)This customization is untested and may cause other problems. It might be a good idea to see if you can customize your other code to not use the $_SESSION array.

Hope this helps.
---------------------------------------------------
Jason Sauchuk - Project Manager
interactivetools.com

Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/

Re: [pothompson] Website Membership - Logoff

By Jason - June 15, 2011

Hi Paul,

The reason we're destroying the entire $_SESSION array is to be as secure as possible. You are right, however, as it does cause problems if you are storing other pieces of information in the $_SESSION array. This is something we can look at changing for a future release.

Thanks
---------------------------------------------------
Jason Sauchuk - Project Manager
interactivetools.com

Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/