Hey all – my members are still able to access the members area after signing out and also after their EOT has expired. I’m sure I’ve set this up wrong. Can someone please assist?! Thank you.
Sign Out - user can still access members area after Sign Out
Unfortunately, there are many, many variables involved in knowing why access restriction isn’t working correctly. Question #1: You say your members are able to access the members area after logging out and after their EOT has expired. Does that mean you cannot access the members area if you’ve never logged in? Try it in an incognito window or on a device you’ve never logged into your site on before.
Thanks, Pat. To be clear, members can log in and non members cannot. That all works great.
But when a member logs out, they can click the back button or return to the members area unhindered.
If a member’s EOT expires, they can co tinge to login unhindered.
Thanks!
Are you sure they are actually logged in when they “click the back button or return to the members area unhindered”?
I suspect that they are not, and that they are just reading a cache. So the first things is to make sure that you don’t have any caching running where you don’t want it. In particular, make sure you and your host are not running Varnish or any form of object caching.
If that isn’t the issue, then you are almost certainly just seeing the browser cache. I am not sure that that really presents much of a problem, but if you want to tackle it, the best way to do so is via security headers, as explained here: http://stackoverflow.com/questions/49547/how-to-control-web-page-caching-across-all-browsers
That’s because, by default, s2Member demotes Members to Level 0 upon EOT. So they can still log in, but they should not be able to see anything restricted to Level 1 or above.
1 Like
@JediShark - that’s super helpful, thank you.
@KTS915 - Thanks for your response. In testing the cache issue, I have set Varnish to OFF and purged cache. I have used a fresh browser window to successfully login to the site, then “Sign Out”. This redirects to the unprotected homepage. Great.
If I then close the browser window, open a new one and type in the URL of a known protected page, I can still access it – If I then clear the cache on the browser and reopen a fresh window and try the protected URL again – Bingo! Redirects me to the Sign Up page.
QUESTION: I guess I’m wondering, why doesn’t S2Member operate like other sites and simply log the user out and ensure that even if there’s a cached version of the protected page, the user is redirected to log back in?
Your question is based on two false assumptions.
First, s2Member isn’t responsible for either logging in or logging out. That’s WordPress. So all WP sites work like this.
Second, by default, and despite what you say, other sites all work the same way too. It’s just that some (like those of banks) tell you to close the browser tab or window and then use the security header to which I pointed you.
1 Like
Oh I understand now and that’s so interesting! Because when I log out of Wordpress, if I click the back button – I don’t get taken to a cached version of that area. So how is that different?
Then you have something else going on on your site. I suggest you investigate further.
You have only to search through other recent threads on this very forum to see from other users’ experiences that what I said is true.