Coz of this virus in China, bosslady asked us to try to do classes online. I want the students to login, so I know who is present.
Login works. It checks user name and password. If correct, I'm in. Logout seems weird!
I have this below for logout.inc.html.php:
<form action="" method="post">
<div>
<input type="hidden" name="action" value="logout">
<input type="hidden" name="goto" value="/">
<input type="submit" value="Log out">
</div>
</form>
Shows a nice Log out button when I put this on any page:
<?php include $_SERVER['DOCUMENT_ROOT'] . '/includes/logout.inc.html.php';?>
The form above does take me back to the root page when I click the button, so that bit is working. But if I click say, the button for class 19BE1 again, where I should be logged out, I am not asked to login again. It just opens. Maybe some cookie thing??
This is part of /includes/access19BE1.inc.php I got this from my textbook PHP & MySQL: Novice to Ninja
if (isset($_POST['action']) and $_POST['action'] == 'logout')
{
session_start();
unset($_SESSION['loggedIn']);
unset($_SESSION['name']);
unset($_SESSION['password']);
header('Location: ' . $_POST['goto']);
exit();
}
It is supposed to unset everything! Will I be timed out eventually?
I got this from stackoverflow, still not logged out!
if (isset($_POST['action']) and $_POST['action'] == 'logout')
{
//session_start();
//unset($_SESSION['loggedIn']);
//unset($_SESSION['name']);
//unset($_SESSION['password']);
session_unset(); // unset $_SESSION variable for the run-time
session_destroy(); // destroy session data in storage
header('Location: ' . $_POST['goto']);
exit();
}
Any tips please for this virus-avoider??
EDIT: I opened a private window in Firefox. I opened localhost. I get my webpage. I click the button for class 19BE1. I immediately get the login page. I enter a wrong name and number, which brings me back to the login page with the error message. I enter a correct name and password, I get the page I want. So I think login is working.
Maybe, Firefox is saving something??
If you tired the stackoverflow answer with session_start() line commented out, the session_destroy() would not work.
You can try the bellow simple code which you can modify to your requirement
<?php
session_start();
session_destroy();
header('location: index.php');
?>
Related
I am having an issue on how to make it where users who are viewing any page can log in on the page they are viewing and it stays on that page. How would this be accomplished?
Below is a single line I am currently using, however, if on any page and a user logs in, they are redirected to their profile. How can I set this line where it logs the user in, and it stays on that same page they are viewing? So in other words, are not redirected to their profile...
PHP:
header("Location: members.php?id=" . $_SESSION['username']);
If more info is needed, let me know and I can make an edit ;)
Have the login form submit the address of the current page. Then you can simply redirect back to that address when the login succeeds, e.g.
<form>
<input type="hidden" name="curpage" value="<?php echo htmlspecialchars($_SERVER['PHP_SELF']) ?>" />
<input type="text" name="username" />
<input type="password" name="password" />
<input type="submit" />
</form>
if ($login_is_successful) {
header("Location: {$_POST['curpage']}");
}
You could try using the referer, but since that's not sent by all browser, and is not always accurate, you're better off sing alternate "current location" tracking means, such as the above hidden form field.
When they click on the login button you can read the url and save it to a varibale and redirect them to this url.
So instead of
header("Location: members.php?id=" . $_SESSION['username']);
you can use sth. like:
header("Location: $last_page);
Try this
you can create a php file with this code and include into your code like this
session.php
<?php
session_start();
error_reporting(0);
if(isset($_SESSION["usuario"]))
{
$usuario = $_SESSION["usuario"];
else{
header('Location: members.php?id=" . $_SESSION['username']');
}
?>
index.php
<?php
include ('session.php');
?>
to avoid using same code in every page
I want to create a logout / sign out link from a 'members only' area of my website. So I created a logout.php script for this that the sign out link will navigate to and then I used header to redirect to index.php. My question is how do you prevent an user from navigating to the logout.php script by simply typing in the URL?
How do you prevent this for any instance for that matter?
For clarification:
I want users to logout using the sign out link ONLY i.e. by clicking on it; not by typing in the URL address of the logout script.
logout.php is as follows:
<?php
session_start();
if (isset($_SESSION['user'])){
unset($_SESSION);
session_destroy();
header ('location: index.php');
}
?>
You can stop that by making the logout.php a POST page rather than normal GET. One way of doing this is changing your Log Out link to actually be submitting a form, rather than just a normal link. Then on the logout page, check the form was really submitted before logging out. That will mean anyone just typing in the URL won't be logged out, while users clicking the link will be.
An example of this would be to make your HTML like
<form action="logout.php" method="post" name="logoutform">
<input type="hidden" name="logout" value="y">
Log Out
</form>
You'd probably want extra CSS to remove the form styling too.
The code in logout.php can be:
<?php
if ($_POST["logout"] == "y") {
/* Getting here means they clicked the link, so log them out */
}
?>
You can't stop them from typing logout.php in the browser, but this will ensure they will only actually log out when they submit the form (i.e. click the log out link). Just typing in the URL will get a blank page.
I want users to logout using the sign out link ONLY; not by typing in the url address of the logout script.
It is not really possible to avoid a visitor from changing the address bar URL in their browser. There's no real way to determine how the user accessed logout.php -- by typing in the URL directly or from a page on your website.
I think you're approaching the issue from the wrong perspective, but if you really want to do this, I'd suggest using a session variable.
This is a basic logout in PHP.
<form action="index.php" method="post">
<li>
<i class="fa fa-fw fa-power-off"></i><input type="submit" name="cerrar" value='Cerrar sesión' style="outline:none;padding: 0; border: none; background: none;">
<?php
if (isset($_POST['cerrar'])) {
session_start();
session_unset();
session_destroy();
header("location: index.php");
exit();
}
?>
</li>
</form>
I am doing a small application in core php.Here my database for login is something like this
id
firstname
lastname
email
userid
account_type
contactno
password
in login file the code is something like this
<?php
include_once("include/connection.php");
session_start();
session_unset();
?>
<?php
$msg="";
if(isset($_REQUEST['sub'])){
$pswd=sha1($_REQUEST['psd']);
$sel=mysql_query("select * from login where userid='".$_REQUEST['uid']."' and password='".$pswd."'");
$rowsel=mysql_num_rows($sel);
if($rowsel==1){
$selacc=mysql_fetch_array($sel);
if($selacc['status']!='banned'){
$_SESSION['uid']=$selacc['userid'];
$_SESSION['uname']=$selacc['fname']." ".$selacc['lname'];
$_SESSION['upassword']=$selacc['password'];
$_SESSION['acctype']=$selacc['acctype'];
$_SESSION['agentcode']=$selacc['agent_code'];
$_SESSION['authentication']="authenticated";
header("location:dashboard.php");
}
}
else{
$msg="Enter Valid Username Password";
}
}
?>
<body>
<form name="login-form" method="post" action="#">
<input type="text" name="uid" class="inputbox" />
<input type="password" name="psd" class="inputbox" />
<input type="submit" name="sub" value="" class="inputbotton" />
</form>
Now after the login the user is directed is dashboard. But from here when I am typing directly ``one page name(lets say posts.php) it is redirected to the post.php file. But here I want one denied access that when someone will direct enter the page name in the url(like post.php) it should show some error. But when the page is normal redirect then it should show the page.I want to prevent the direct page access in the address bar but when the page is normal redirected it should show the page.
Just check the any session variable set in previous page for example
if(!isset($_SESSION['uid'])){
echo 'error';
exit;
}
do it on the top
There are 2 factors in it.
1) your folders and files permissions on server.
2) When you login first time, it should show you login page. But when you do the same thing again. The variable stores in session until you close your browser. So, Close the browser and try again. You need to check if session id is set or not, and make decision according to that.
I am integrating a login page (fixed username and password).
Once the user logs in, he is being redirected to another page 'x' (on my server).
However, when the user closes the browser (or tab) and re opens it, he is automatically being directed to the page 'x' without the need to ask for username and pass.
However, if i delete the cookies from my browsers (firefox) settings, things go back to normal. Deleting the cache does not do anything.
I know I need to insert couple lines of code to delete to cookie.
My questions are,
is this 100% cookie problem? or I need to prevent storage into local cache too ?
The cookie prevention happens on which level ?during the login or the redirection ?
Once I am redirected to the page 'x', does putting a log out button there makes it possible to log out of the session that redirected ?
below is my code.
<?php
session_start();
if(isset($_POST['username'])){
if(($_POST['username'] == "user") && ($_POST['password'] == "pass"))
{
$_SESSION['secured'] = "Secured";
}else{
echo "Wrong username and password. <p>
<a href='?'retry</a>";
}
}
if(!isset($_SESSION['secured']))
{
echo "<form method='post'>
Username: <input type='text' name='username' maxlength='10' /><br>
Password: <input type='password' name='password' maxlength='10' /><br>
<input type='submit' value='login' />
</form>";
}else{
?>
<html>
<head>
<title>Session Login</title>
</head>
<body>
<p>redirecting....
<meta HTTP-EQUIV="REFRESH" content="1; url=http://x.php">
</p>
</body>
</html>
<?php
}
?>
If you can create a logout.php page that will destroy the session:
unset($_SESSION['secured']);
header('Location: login.php');
exit;
Simply visit that page and the login will be destroyed.
If you want the session to timeout after a predetermined period of time, you can use something similar to the code shown in this example.
If you're wanting to kill the session after the user has landed on x.php
<?php
session_start();
//First make sure that they're allowed access to x.php
if(!isset($_SESSION['secured'])){
//They shouldn't be here.
header('Location: login.php'); //Redirect back to your login page
exit;
}
//Ok, user is obviously logged in. Unset the session variable so that they can only view this page once (unless they login again)
unset($_SESSION['secured']);
//Show content of x.php
Suppose i am using pure php, with no javascript/jquery or ajax.
I have many pages in a website, lets say page1, page2, page3 and page4.
all of the first three pages have a link to go to page4, to log in.
In page 4 i have a form field, and above I have a php script to catch the user input and put the username in a session and after that i want to redirect to the page where the user came from, but the page is not redirecting.
Let me put the code.
<?php
ob_start();
session_start();
if(isset($_POST['username'])){
$username = $_POST['username'];
$_SESSION['username'] = $username;
if(isset($_SERVER['HTTP_REFERER'])){
$referer = $_SERVER['HTTP_REFERER'];
header('location: '.$referer);
}
}
?>
<form action="page4.php" method="POST">
Username: <input type="text" name="username" /><br/>
<input type="submit" value="Submit" />
</form>
I am starting again all page1, page2, page3 with ob_start() and session_start();
If I use a specific page into the header function then it is redirecting, no problem
for example header (location: page2.php).
I am guessing the reason is maybe as my form field and the php script are at the same page (page4)
So how to redirect dynamically? User might come from page 1 or page2 or page 3 and after log in i want them back to the specific page they came from.
In page1.php, page2.php, page3.php:
<?php
session_start();
$_SESSION['page'] = $_SERVER['PHP_SELF'];
in page4.php:
<?php
session_start();
// process form
if ($form_proccessed == true) // or whatever
{
header("Location: {$_SESSION['page']}\r\n");
exit;
}
Using $_SERVER['PHP_SELF'] you wont have to worry about updating the code if you save the file as a new file with a new name.
It can be done with an hidden input field inside the form :
<input type="hidden" name="referer" value="$_SERVER[HTTP_REFERER]">