I am testing the trial version (so far it's been easy to setup) but have encountered just one issue. 1) On a shared computer, a user with privileges to view product A, then logs out. 2) A second user creates account with privileges to view product B only and not product A. So far so good. If User #2 enters the full path to Product A html page however, he is allowed access. He cannot access any linked files but the page is meant for viewing only by Product A members. Any comments or am I missing something ? How to prevent this ? Ok....further research seems to be related to session cookies. Is there a way to clear these upon logout ? What is the default time they are retained ?
If both are logged out can you still view page meant for 'Product A' members. Perhaps you have not set up the protection correctly?
I believe it is setup properly. On a 'new' computer, when nobody has logged in, protection works as expected. When both users login (A logs in and logs out) Then immediately B logs in, B can see resource A. After both users log out, page can still be seen, although as I said linked files cannot be accessed. It does recognize that the users are logged out in the sense that if you attempt to access membership page it will give the login screen instead. The effect seems to time out in a couple of minutes..just puzzling.
I believe I have it figured out....could it be that the logout function does not clear the browser cache ? With the secure page cached...it seems still viewable to the next user who should not be able to see it. Any comments or other input ?
Logout function does not clear browser cache and just can't do this. Do you see these issues on html pages, or php? If last, and page cached by browser I believe your php script does not send correct Expires header.
It is happening with html pages. Any linked protected content is protected but the page is visible for a short period of time. This has happened using Opera browser. I will test today with IE, Firefox, and Chrome and post results later this afternoon. I have setup 2 test user accounts: usera and userb (same password), so you can login and try to recreate Passwords ame as user name. Each has access to different product page. When usera logs in views page then logs out, userb logs in and if explicitly specifies usera product page in address bar, he can view page but not access linked resources. http://crosswindsmedia.com/
I was not able to recreate it in FireFox. When i go to usera protected area I get error from aMember: Access to this membership area is not allowed. Please go to "Membership information page" to renew or add subscription
Thanks for checking...I was able to view page using Chrome,and Opera. Ok...narrowed it down to browser cache. In Opera there is a setting that allows you to only check for new pages from internet every nn time period. If you set that to always check by default, problem goes away as it does not access page from cache first. CHrome must have same setting but can't find it yet. IE and Firefox work as expected by default. Also confirmed it with your DEMO system. After creating account for product #1 and looging out, I could still view product # 1 page in Opera. FYI: here is a discussion of similar issue in programmer forum: http://bytes.com/topic/php/answers/12141-cant-end-session-logout-button