PHP Session variables not destroyed with Internet Explorer IE (or cache problems)

Posted on 2010-01-08
Last Modified: 2012-05-08

I have a web form on PAGE A that gets sent to PAGE B for processing. PAGE B validates the data, inserts it into a MYSQL database. The record ID that is generated from the INSERT is placed into a SESSION variable.  PAGE B has a button on it. When user clicks button, it goes to PAGE C, which uses the class FPDF to generate a nice PDF Form that the user prints out. PAGE C uses the SESSION variable created on PAGE B to find the correct record.
PAGE A does all of the SESSION DESTROY/COOKIE DESTROY stuff to erase all personal data in case someone goes from PAGE C to PAGE A without closing the browser window. When I print out the session data on this page, it is blank, so I feel confident that this is happening correctly.

In FireFox, the system works fine... But in I.E. The SESSION Variable of the first person to fill out the form since the browser window has been open will persist. Or, if it doesn't persist, IE is somehow caching the old PAGE 3 and reprinting the previous record.

This is not good for privacy purposes.

Is there anything I can do to force IE to purge its cache?

Question by:aberns
    LVL 2

    Accepted Solution

    Have you tried the header value:

    header("Cache-Control: no-cache, must-revalidate");

    You could also try specifying the "Expires" header value to a date in the past.

    This should prevent the browsers from caching the page.
    LVL 107

    Assisted Solution

    by:Ray Paseur
    aberns: Have you tested this system with more than one copy of the browser running?  In practice this is a rare occurrence, but in testing you can have something goofy happen.  Here is why.

    The session handler sets a cookie on the browser.  If you have any instance of that browser open, the cookie persists and all instances of the browser are able to resend the cookie.  Symptoms seem like, "I just logged off, and yet it still has me logged in, etc."

    There is no practical fix for this - it is just the way sessions and cookies interact with the browser.  But as I said, in practice this is very rare.

    HTH, ~Ray

    Author Comment

    Hi Guys,

    Thanks for your responses. I have been pulled off onto another project, but I will revisit this issue tomorrow and try the things you've suggested, both in terms of the no-cache statements, and the multiple browsers opened at once.

    For now, I am sending POST variables instead of SESSION, which has solved the problem.

    But I wonder in general, when collecting variables for Ecommerce or some other personal data, what is the gold standard in terms of collecting and passing variables? Encryption is of course assumed. Thanks.
    LVL 107

    Expert Comment

    by:Ray Paseur
    SSL is all you need when you collect the data. Depending on the risk of exposure, you might want to encrypt the data whenever it is stored in a data base or transmitted over the internet.  If you want help on this, please post a question about "Sending encrypted data" and I'll be glad to show you my teaching samples on the topic.

    One noteworthy matter... It is notoriously hard to debug data-dependent errors when the data is encrypted, so plan your appdev budget accordingly!!

    Best, ~Ray

    Author Closing Comment

    Thanks to both of you for the reply. I am just going to stick with POST and SSL.


    Author Comment


    Thanks. Look for the question "Sending encrypted data" shortly.

    I am also going to be posting a follow up question to an excellent solution you provided on June 11 2009, entitled "modify javascript to dynamically generate form fields as array rather than appending numbers" in the javascript section, if you are interested.

    Thanks again for sharing your expertise!
    LVL 107

    Expert Comment

    by:Ray Paseur
    10-4, and thanks for the points, ~Ray

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Introduction If you're like most people, you have occasionally made a typographical error when you're entering information into an online form.  And to your consternation, the browser remembers the error, and offers to autocomplete your future entr…
    Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
    Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
    How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now