Clearing session variable values

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

The Manual is not 100% clear to me about session variables.  This seems to
work, but I'm not experience enough to know if there is some hidden trap or
vulnerability. This is for suPHP, Version 5.2.4.  Register-globals off.

I have a made-from-scratch CMS for a local nonprofit.  Admins can write and
edit articles into a database.  Some of the variable passing in these pages
is done in session variables.

In editing mode, most fields fill automatically from the database info
unless a session variable is set, in which case it fills the session
variable data instead.  So if a user edits an item then starts to edit
another item, I don't want the fields filling with session data from the
first edit!

My solution is a form button that is intended to clear all session data
except login data, then send the user back to the page.  Here's the page I
came up with:
require_once('./');  //session module, tests for login
if($gtg2!='xp8tbYYmx')header("Location: ");
            // another security test for admin-level access, using a session
variable from the first require()

if((isset($_POST['Submit']))&&($_POST['submitted']=='CLEARSESS')) {
            // unset all session variables except the six login/sercurity
    foreach($_SESSION as $k=>$v) {
     if ($k=='id') continue; //PHPSESSID
     if ($k=='username') continue;
     if ($k=='password') continue;
     if ($k=='status') continue; #low level security for subdirectory
     if ($k=='gtg1') continue; #medium level security for subdirectory
     if ($k=='gtg2') continue; #high level security for admin functionality

        // return user to the page where he started, using a unique hidden
POST['thispage'] value
if($_POST['thispage']=='CLEARSESS1') {
 header("Location: ");
} elseif ($_POST['thispage']=='CLEARSESS2') {
 header("Location: ");
} else {
 header("Location: ");

I'd be greatful for any help/comments.
Mason Barge

Re: Clearing session variable values


I would suggest clearing the state on the first step of an edit.
Should be a way to distinguish between the wizard's entry point and a
wizard that's already in progress.

Now, another way you can track the state of each wizard is to generate
a random token on the first step of the edit and track the form state
in a session key based on that token. For instance,

if (!isset($_POST['wizardId'])) {
  $wizardId = md5(uniqid(rand(), true));
  $_SESSION[$wizardId] = array();
  $_SESSION[$wizardId]['name'] = getName();
} else {
  $wizardId = $_POST['wizardId'];


<input type=text name=name
  value="<?= htmlentities($_SESSION[$wizardId]['name']) ?>">

<input type=hidden name=wizardId value="<?= $wizardId ?>">

Quoted text here. Click to load it

Site Timeline