I'm trying to destroy the session without using session_destroy because I want to carry the information message. My question is if my code is valid, I already reset the session by saying all $_SESSION is an empty array or for security reason using the session_destroy is a must but if I use session_destoy I can't pass the $_SESSION['msg'] anymore.
<?
session_start();
$_SESSION = array();
//session_destoy();
$_SESSION['msg'] = "You have logged out.";
header('Location: index.php');
?>
You need session_unset()
session_unset just clears out the session for usage. The session is
still on the users computer. Note that by using session_unset, the
variable still exists. session_unset just remove all session
variables. it does not destroy the session....so the session would
still be active.
via: http://php.net/manual/en/function.session-unset.php
and then you can do it like
$_SESSION['msg'] = "You have logged out.";
so that the msg is added to session.
OR You can do it like this too:
$msg ="Whatever the message is";
header("Location: index.php?message=$msg ");
In index.php file
if(isset($_GET['message']) && !empty($_GET['message'])){
echo $_GET['message'];
}
1st you should use session_unset(); to remove all session variables/values rather than assigning a new array to it.
The main answer to your query:
I would recommend to use session_destroy() because it removes the internal session ID generated which would be validated at every request coming from a client device. To verify this, just print the session ID using the function echo session_id(); before and after emptying the session in the way you are doing. It would pring the same session ID.
So destroying it first and then creating new will be a good idea.
Once you destroy the session using session_destroy() you can start a new session again and set your message $_SESSION['msg'] in it.
Just user session_unset($_SESSION['session_name']); hope this will work.
You can use cookies; you would keep for example the username, the password and the connection status of the user. When the user comes back to your site, you know who he is and if he is already connected.
setcookie ("Msg", "you have logged out", time () + 3600);
(for a cookie of one hour, you put the time that you want ...)
Your code:
<?
session_start();
$_SESSION = array();
//session_destoy();
$_SESSION['msg'] = "You have logged out.";
header('Location: index.php');
?>
in the index page do below stuff:
<?php
if(!empty($_SESSION['msg']) && isset($_SESSION['msg'])){
echo $_SESSION['msg'];
unset($_SESSION['msg']);
}
?>
this will show your message once and unset it immediately.
Related
I have a small website using a session to check for an user login.
When the user click logout the are being redirected to a page containing only session destroy.
The code is as followed:
<?php
session_start();
if(session_destroy()) {
$_SESSION = array();
header("Location: http://domain.com/");
}
exit();
?>
I've tried to remove the if statement to check for any problem when destroying the session.
I have even used unset and setting the array to empty.
Still when redirected to the domain homepage the user is still logged in and the session is still set.
Also i tried to unset the specific session and still nothing happens.
--
Update:
The session is not even being return as an empty value. Echoing the session after logout still returns the value of the username.
This answer should help. As Roland Starke mentioned in a comment, session_destroy will not remove a cookie.
https://stackoverflow.com/a/3512570/3563178
try this.
<?php
session_start();
if(session_destroy()) {
echo '<meta http-equiv="refresh" content="0;URL=http://domain.com">';
}
exit();
?>
I think the header is throwing an error in this particular case of yours. hmmmm.....(Header already sent)...
I'm working on a website that is keeping a user session token in $_SESSION. When I type the URL directly, I can load the cookies just fine, but when I click on a page that loads the cookie through PHP, it can't find the cookie. Is there any way to get around this?
Here's the code for saving the cookie
setcookie("tpl_token", $token, time()+365*24*60*60, "/");
And for retrieving
if(isset($_COOKIE['tpl_token'])){
$token = $_COOKIE['tpl_token'];
} else {
echo "Cookie not set";
}
It is returning that cookie is not set.
In order to create a session in PHP, use the session_start() function. PHP handles sessions internally for you, so you do not have to do any dirty work.
Example:
session_name("tpl_token");
session_start(); //sends session cookie with name "tpl_token"
//create session variable.
$_SESSION["logged_in"] = true;
if(isset($_SESSION["logged_in"])){
//stuff to do if user is logged in already
} else {
//stuff to do if user is not logged in.
}
//Destroy Session/Logout;
session_unset();
session_destroy();
If you are try create session cookies, there is no need for the $_COOKIE[] function
I have some simple php simple scripts. One is to display login user, and the other one is to log out. These are code fragments from a larger file. Anyway, first I executed the login script and enter the user name, the user name showed up fine. Next I executed the logout. If I entered the login page again, i would expected the login_user to be empty, but it is not. The older login_user name is still there. If I clear the cache and bring up the login page again, the login_user is gone. How do I clear the session data for good? Here is the login.php
<?php
session_start();
$_SESSION['myerror']="XXX";
displayLoginUser();
function displayLoginUser()
{
if (isset ($_SESSION['login_user']))
{
echo $_SESSION['login_user'];
}
} // end displayLoginUser
?>
Here is the logout.php
<?php
// NOTE none of the statements below seem to clear the login_user
$_SESSION['login_user'] = " ";
unset ($_SESSION['login_user']);
session_destroy();
header("location: library.php");
?>
TRY THIS:
session_start();
$_SESSION = array();
session_destroy();
will completely destroy the session and all its variables no need to unset() or anything else
i am creating a website with login and logout and registration but an error appear every time i want to logout how to fix it i think the eroor is in the session this error make me crazy i did a lot of search about fixing the problem but i did not get any solution that help me.
logout.php
<?php
session_start();
session_destroy();
if(isset($_COOKIE['id_cookie'])){
setcookie("id_cookie", "", time()-50000,"/");
setcookie("pass_cookie", "", time()-50000,"/");
}
if(isset($_SESSION['username'])){
echo("we could not log out try again!");
exit();
}else{
header("Location: home.php");
}
?>
Not sure of your error, but reading about session_destroy would help you out.
My guess is the error is when checking if(isset($_SESSION['username'])){, as, according to the manual:
session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.
You never start the session again, so you can't use session variables.
Also, for further assistance with logging a user out, the following from the same page will help:
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
And while it's not in the scope of the question - it will help you make a successful logout script.
session_destroy(); destroys all the sessions, so im not following the point of your If statement to check for username session ??
Secondly you don't actually need brackets for echo:
echo("we could not log out try again!"); exit();
Can be written as:
echo "we could not log out try again!"; exit;
<?php
session_start();
session_destroy();
if(isset($_COOKIE['id_cookie'])){
setcookie("id_cookie", "", time()-50000,"/");
setcookie("pass_cookie", "", time()-50000,"/");
}
header("Location: home.php");
exit();
?>
Im having problems with session variable after my database have changed the session variable, it doesnt update the new session variable when i press the back button but on database, it already updated but not on the webpage, i have to relogin to see the new variable.
and how do i use session_regenerate_id?
Copied from php.net:
<?php
session_start();
$old_sessionid = session_id();
session_regenerate_id();
$new_sessionid = session_id();
echo "Old Session: $old_sessionid<br />";
echo "New Session: $new_sessionid<br />";
print_r($_SESSION);
?>
When a user presses the back button, their browser generally shows a cached page, rather than re-requesting the page, so that's most likely where your issue is coming from.
You use session_regenerate_id by calling it... and the user will be given a new session ID and their session will be transfered over to that ID, if you pass True as a parameter, the session will be cleared, too. It's generally used to prevent session fixation attacks
Make sure that you have put below statement on top of your script otherwise no sessions will be handled:
session_start();