I'm securing single page with session:
if($username === 'admin' && $password === 'admin1'){
$_SESSION['secured'] = "Secured";
header('LOCATION:admin/approve.php'); //go to location after successful login.
die();
}
In approve page I'm checking if session is set:
session_start(); //starting session to acces to it
if(!isset($_SESSION['secured'])){
exit();
}
I made a logout button that redirect to site index, but after logout when I'm tring to reach the secure page i dont have problem to enter, and session is still set.
Logout code:
unset($_SESSION); //clear session array
session_destroy(); //Destroy session
unset($_SESSION['secured']);
header("Location: ../index.html");
You mean the approve page?
What I see is that you did not specify where the page should exit to...
Maybe you should try something like this:
session_start(); //starting session to acces to it
if(!isset($_SESSION['secured'])){
header("Location: ../index.html");
exit();
}
I hope it helps
Related
I'm just implementing a login and logout system using PHP and experiencing problems with logout. The system outline is as follows:
When the user logs in, a session is created with a session variable "user" and "stud" as i'm creating it for student and admin.
After the session is set up, the user is redirected to home.php file.
In that file, a logout button is placed. When the user clicks the logout button session destroyed, but it destroyed both account. I try login both account, student and admin, but when i try logout for admin, it'll destroyed both account.
Anyone can help me with this problem?
here is my coding for admin logout:
session_start(); if(!isset($_SESSION['user'])) { header("Location:
index.php"); } else if(isset($_SESSION['user'])!="") {
header("Location: homeAdmin.php"); }
if(isset($_GET['adminLogout'])) { session_destroy();
unset($_SESSION['user']); header("Location: index.php"); }
You have maintain the sessions for user and admin separately like $_SESSION['user'] and $_SESSION['stud']
and destroy the respective session on logout process. Means if logout the user than destroy only $_SESSION['user']
if(isset($_GET['adminLogout'])) { session_destroy(); unset($_SESSION['user']); header("Location: index.php"); }
Here you are taking the parameter admin logout and destroying user session as well. I assume you should first check which session is set and destroy that particular session. Also don't use session destroy, just unset will work for you.
session_destroy destroys all the session, you can check here for more reference how it works
http://php.net/manual/en/function.session-destroy.php
thank you guys i've got my answer. here am sharing teh answer of the problems:
<?php
session_start();
if(!isset($_SESSION['user']))
{
header("Location: index.php");
}
else if(isset($_SESSION['user'])!="")
{
header("Location: homeAdmin.php");
}
if(isset($_GET['adminLogout']))
{
unset($_SESSION['user']);
header("Location: index.php");
}
?>
just delete the session_destroy()
Hello i am trying to destory session when i press signout button then it's logging out and redirecting to login page; but when click back in browser that page is loading with loign menu on top.
And i have wrote a code in everypage as if session not available redirect to login page.
Here is my logout code for session_destroy:
elseif(isset($_GET['type']) && $_GET['type']== "logout" )
{
if (!isset($_SESSION['id'])) {
header('location:index.php');
} else {
session_destroy();
$_SESSION = array();
header('location:index.php');
}
}
here is the code what i have mentioned in all pages:
session_start();
include_once('includes/config.php');
if(!isset($_SESSION['id'])) {
header('location:login.php');
}
So my question is completly logout if press back it should not load and has to redirect to login page.
<?php
session_start();
if($_SESSION['id']){
unset($_SESSION['id']); // destroys the specified session.
}
header('Location:index.php'); //redirect to preferred page after unset the session
?>
session_destroy()
By this function you can destroy all session at browser. If you work with php you should write :
ob_start ();
session_start();
By this your buffer also flush and new start session. Try with it.
Create a page like signout.php, And set signout button link to this page.
Example
Signout
Add below codes for signout.php page.
session_start(); #Start new or resume existing session
#session_unset($_SESSION['key']); #Free specific session variable if you want, OR
session_destroy(); #Destroys all data registered to a session
header('location:login.php'); #Redirect to login page after logout
This should work for you!
Try in this way :
session_start();
unset($_SESSION["id"]);
session_destroy();
header('location:index');
I have a log in script where I have been able to successfully make users, and log in. Now my issue is that whenever I try to use my method of protecting pages, being seeing if there is a SESSION for 'user' if not it directs you back to the login page.
Here is me checking for the session,
require("common.php");
if(empty($_SESSION['user']))
{
header("Location: login");
die("Redirecting to login");
}
Here is where I am setting my session, I am ONLY setting a session_start(); on login.php
if($login_ok)
{
unset($row['salt']);
unset($row['password']);
$_SESSION['user'] = $row;
header("Location: home?worked=1");
die("Redirecting to: home?worked=1");
session_start();
}
else
{
print("Login Failed.");
$submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
}
}
What this does, is I log in, and it will process and bring me to my home page, then process the header back to the login page acting as if I am not logged in. I tested a false login and it IS telling that its the correct login.
Thanks for any help, I'm pulling my hair out here!
Necro
EDIT
I moved session_start(); to the top of my common.php, and everything is perfect.
You have session_start(); after $_SESSION['user'] = $row;
Actually you have it after a die(); command. Nothing happens after that.
Put session_start(); at the top of PHP in every page (pref common.php since you have one) not just one page.
It would be better to set the session_start() on top
You need to put session_start(); on every page you want to use the session.
I'm working on page authentication. It can login already, but I want it to make user authentication on other pages aswell if someone tries to access pages through URL. If the person is not a logged in user, redirect that person to the login page. I tried it by working with sessions but it doesn't work. I'm following MVC structure
Somehow the sessions never gets unset. I don't know why..
Here is how I did it
My loginController
<?php
//LoginController
if($_POST)
{
if(isset($_POST['submit']) AND $_POST['submit'] == "login")
{
$username = $_POST['username'];
$password = $_POST['password'];
try
{
include '../model/Login.php';
$login = new Login($db, $username, $password);
if($login == TRUE)
{
session_start();
$_SESSION['username'] = $username;
header("Location:../index.php");
}
}
catch (Exception $exc)
{
echo $exc->getMessage();
}
}
}
My index controller( for main page)
<?php
include 'model/Database.php';
session_start();
//Checks if the user is logged in.
if(!isset($_SESSION['username'])) {
//echo"<h2>You have no access to this page!";
include 'view/login.php';
die();
}
include 'c:/wamp/www/mvc/model/Display.php';
$displayPatients = new Display($db);
$dataDisplay = $displayPatients->getData();
include 'view/Main.php';
?>
my logout.php: When a user clicks this button:
<?php
//Logout
//destroys the session when the user clicks logout
session_destroy();
header('Location:view/login.php'); //redirect to the login
The user does get logged out redirected to the login page but the session is still set. The session is set from the beginning and I have no idea why..
Just taken out of the manual for the session_destroy()
session_destroy() destroys all of the data associated with the current
session. It does not unset any of the global variables associated with
the session, or unset the session cookie. To use the session variables
again, session_start() has to be called.
In order to kill the session altogether, like to log the user out, the
session id must also be unset. If a cookie is used to propagate the
session id (default behavior), then the session cookie must be
deleted. setcookie() may be used for that.
So it seems to me you need to destroy your session id or set it to something else when starting the new session otherwise your next sesson_start() resumes the old session again.
For this reason you could also just regenerate the session id on login before redirecting. Ah and it's always a good idea to use "exit;" after a "Location:" redirect via "header()".
session_start();
session_regenerate_id(true);
I have a simple website that lets the admins and users log in. There credentials are saved onto a mysql server in 2 separate tables. 1 for user, 1 for admin.
They both of different login pages, user has userlogin.php and admin has adminlogin.php
What i want is, when they are both done with accessing the site, i want them to click logout and through session variables, use just the one logout.php and redirect them to their respective login pages.
So if the user logs out, they should be redirected to userlogin.php and if admin logs out, they should be redirected to adminlogin.php
<?PHP
session_start();
unset($_SESSION["userid"]);
header("Location: userlogin.php");
unset($_SESSION["adminid"]);
header("Location: adminlogin.php");
?>
This is what i have so far.
if(isset($_SESSION["userid"]))
{
unset($_SESSION["userid"]);
header("Location: userlogin.php");
}
elseif(isset($_SESSION["adminid"]))
{
unset($_SESSION["adminid"]);
header("Location: adminlogin.php");
}
die();
Use session_destroy()
logout.php
<?php
session_start();
if(isset($_SESSION["adminid"]))
{
unset($_SESSION["adminid"]);
session_destroy();
header("Location: adminlogin.php");
}
else
{
unset($_SESSION["userid"]);
session_destroy();
header("Location: userlogin.php");
}
?>
<?php
session_start();
header ('Location: ' . (isset($_SESSION['adminid']) ? 'adminlogin.php' : 'userlogin.php'));
$_SESSION = array();
session_destroy();
?>
Since some people asked for an explanation, this code first starts the session with session_start();.
After that, it sets the location header to be sent to the client. The code checks if the adminid is set, if so, we'll redirect to adminlogin.php. If not, we'll just redirect to userlogin.php.
Then, the code sets the $_SESSION to array(); (basically just empties it) so that all the previously set data is gone.
Finally, the session is destroyed and the client will get redirected.