Whenever I run the logout.php script then go back to a page that is protected without login it will have me still logged in
logout.php
<?php
session_start();
session_unset();
session_destroy();
header("Location: ../index.php");
exit();
?>
login.php
$userlogin = user_login($email, $password.$salt);
if ($userlogin==false){
$errors[]='Wrong email/password combination.';
} else {
//set the user session
$_SESSION['UserId']=$userlogin;
$_SESSION['LoginIP']=$_SERVER['REMOTE_ADDR'];
$db->query("UPDATE users SET ipadd='".$_SERVER['REMOTE_ADDR']."' WHERE user_id=".$_SESSION['UserId']."");
echo '<meta http-equiv="refresh" content="0; URL=index.php">';
Check logged in snippet
/* Check if user is logged in or not */
function loggedin(){
return (isset($_SESSION['UserId'])) ? true : false;
}
if (loggedin()==true){
$session_user_id = $_SESSION['UserId'];
$user_data = user_data($session_user_id,'full_name','username');
$rezult =$db->query("SELECT ipadd FROM users WHERE user_id=".$_SESSION['UserId']."");
while($rez = $rezult->fetch_assoc()){
if ($rez['ipadd']==$_SERVER['REMOTE_ADDR']) {
} else {
echo '<meta http-equiv="refresh" content="0; URL=logout2.php">';
}
}
}
Been look at posts with the same question but whatever I try still getting the same issue. Any advice would be extremely appreciated!
this is from php.net http://php.net/manual/en/function.session-destroy.php
Note: You do not have to call session_destroy() from usual code. Cleanup $_SESSION array rather than destroying session data.
so you just need $_SESSION = null, and logout should happen.
I think in your index.php file should have these line:
if(!isset($_SESSION["session_name"])){
header("Location: somewhere_mainpage.php");
}
It is better to make all pages have these line. These line will send header to another page if no session has started.
I believe that session_start(); function call should be on your login page when the user login data is correct, and in your logout PHP code, you should set
session_destroy(); or unset($_SESSION['UserId'];
Logout.php:
<?php
session_destroy();
/* * OR * */
//unset($_SESSION['UserId'];
header("Location: ../index.php");
exit();
?>
<?php
session_unset();
session_destroy();
header("Location: ../index.php");
?>
should work, otherwise you could unset the values
<?php
unset($_SESSION['UserId']); // Unsets the UserId Variable reuse for each variable
session_destroy();
header("Location: ../index.php");
?>
have you tried just session_destroy() ?
also I'm not sure wether you need session_start() when you are closing the session, from memory you only need it to start the session
I always like to destroy the server session, and client cookie, try to manually cover all options in case of any errors.
You can destroy the cookie in PHP with:
setcookie(session_name(), '', time() - 3600, $cookie_path, $cookie_domain, $cookie_secure, $cookie_httponly );
<?php
$cookie_path = "...";
$cookie_domain = "...";
$cookie_secure = "...";
$cookie_httponly = "...";
session_start();
session_unset();
session_destroy();
setcookie(session_name(), '', time() - 3600, $cookie_path, $cookie_domain,$cookie_secure, $cookie_httponly );
header("Location: ../index.php");
exit();
time() - 3600 makes the cookie expiry before the current time, which makes it invalid.
Another option to investigate is session_regenerate_id() on your logout pages. Some reference pages are below:
php.net - session-regenerate-id
https://stackoverflow.com/a/22965580/1246494
Related
<?php
session_start();
if (!isset($_SESSION['korisnik'])) {
header("Location: index.php");
} else if(isset($_SESSION['korisnik'])!="") {
header("Location: home.php");
}
if (isset($_GET['Odjava'])) {
unset($_SESSION['korisnik']);
session_unset();
session_destroy();
header("Location: index.php");
exit();
}
?>
Everytime I press logout, home.php is just refreshed and session is not over.
<?php
if (isset($_GET['Odjava'])) {
unset($_SESSION['korisnik']);
session_unset();
session_destroy();
header("Location: index.php");
exit();
}
session_start();
if (!isset($_SESSION['korisnik'])) {
header("Location: index.php");
} else if(isset($_SESSION['korisnik'])!="") {
header("Location: home.php");
}
?>
Try this as you need to check it is set first otherwise your script will redirect as your if statement is above the session destroy
to me this does the trick:
setcookie(session_name(), session_id(), 1);
$_SESSION = [];
i.e first make the session expire
(after the first second in the year 1970),
then clear the $_SESSION variable.
Your first if block is run first and the session is still set at that time. Reverse the order of your if blocks and you may get a better result.
Better to use the PHP documentation approach:
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
?>
In order to delete also the session cookies.
I have a file where the $_SESSION['username'] variable is first created:
<?php
$kullaniciadi = $_POST['kullaniciadi'];
$sifre = $_POST['sifre'];
if ((!$kullaniciadi =="") and (!$sifre =="")) {
include("db.php");
$sql = $sqlt->query("select * from uye where kullaniciadi='$kullaniciadi' and sifre='".md5($sifre)."'");
$kayitsayisi = mysqli_num_rows($sql);
if ($kayitsayisi == "0") {
header ("Location: login.php?hata=yes");
}
else {
$kontrol_ok = $sql -> fetch_assoc();
$k=$kontrol_ok["kullaniciadi"];
session_start();
$_SESSION['username']= $k;
header ("Location: homepage.php");
}
}
else {
header ("Location: login.php?hata=yes");
}
?>
It is called login_do.php (I send MySQL data from login.php form to here, and do the username and password check in this file).
Than in every other PHP file I have, I begin with:
<?php
session_start();
if (isset($_SESSION["username"])) {
echo 'loginok';
} else {
header ("Location: login.php");
}
?>
Than I have a logout.php, where the user is redirected to if he presses a button. logout.php file contains this:
<?php
session_start();
if(isset($_SESSION['username'])) {
unset($_SESSION['username']);
}
session_destroy();
header("Location: login.php")
?>
But it simply doesn't work. I mean if I go into my browsers cookies and delete the SESSION cookie by myself, than yes, the whole system works and I can't access any other php files than login.php unless I log in. But I need this to work with logout.php instead of me deleting the session from the browser by myself manually.
session_unset();
session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
--http://php.net/manual/en/function.session-destroy.php
I have made a login and register system, which works flawlessly, and I am very proud of, but I cannot seem to get a logout function working.
My login system basically takes the database and scans it for rows that have both the username and password specified, and if it does, then it makes $_SESSION['loggedin']=1; and if it fails it makes it equal to 0.
Once the user is done, he/she clicks on a link that redirects to logout.php, and that is where the issues start. I have put session_start(); at the beginning of each page, but session_destroy, session_unset, and combinations of the two cannot seem to kill the session.
So I am wondering, is there a way that upon loading logout.php, it sets the $_SESSION['loggedin] to 0, and then redirects back to index.php(my homepage)? Which means it doesnt kill the session, but it would effectively log the user out. Any help is appreciated.
// Four steps to closing a session // (i.e. logging out)
// 1. Find the session
session_start();
// 2. Unset all the session variables
$_SESSION = array();
// 3. Destroy the session cookie
if(isset($_COOKIE[session_name()])) {
setcookie(session_name(), '', time()-42000, '/');
}
// 4. Destroy the session
session_destroy();
if session_destroy doesn't work, use instead:
unset($_SESSION['put your session in here']);
// logout.php
session_start();
if(isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == 1) {
$_SESSION['loggedin'] = 0;
header('Location: index.php');
}
It redirects the user to to index.php, if $_SESSION['loggedin'] equals to 1, and sets $_SESSION['loggedin'] to 0.
I suggest you to have 3 files
1) login.php
session_start();
/*if user $_POST username and password is correct then*/
$_SESSION['loggedin'] = 1;
?>
2)logout.php
<?php
session_start();
unset($_SESSION['loggedin']);
$_SESSION['loggedin'] = 0;
?>
3)checkLogin.php
<?php
session_start();
if ( isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == 0 )
{
echo "<script type='text/javascript'>alert('You need to login !')</script>";
echo '<meta http-equiv="Refresh" content="0;URL=index.php" />';
flush();
exit();
}
?>
with 3 files if you want to control some page that require login before access you just include(checkLogin.php);
e.g. index.php is not require login then not include(checkLogin.php);
but memberProfile.php is require login before then include(checkLogin.php);
I'm trying to create a simple member login site, and I was following along with a tutorial online. However, a deprecated function is used. Here is the code.
<?php
session_start();
session_destroy();
if(isset($_COOKIE['id']))
{
//remove cookie
setcookie("$id_cookie", '', time() - 50000);
setcookie("$pass_cookie", '', time() - 50000);
}
if(!session_is_registered('username'))
{
header("Location: index.php");
}
else
{
exit('Sorry we could not log you out');
}
?>
I also tried !isset($_SESSION['username']), but every time I try to log out, I just receive the 'Sorry we could not log you out' text.
Here is the part of my login.php file code where I set the sessions:
//member does exist, start sessions
$_SESSION['password'] = $password;
while($row = mysql_fetch_array($query))
{
$username = $row['username'];
$id = $row['id'];
}
$_SESSION['username'] = $username;
$_SESSION['id'] = $id;
Any help would be great!
Don't use
session_is_registered
use
if (isset($_SESSION['SESSION_VARIABLE_NAME']))
You may add "session_unset();" before "session_destroy();"
session_destroy() delete the session file and release the session id, but keep the $_SESSION variable in memory.
use this with isset
if(!isset($_SESSION['username']))
Try this
echo "<pre>";
print_r($_SESSION);
echo "</pre>";
if(!isset($_SESSION['username']))
{
header("Location: index.php");
}
Check where the the SESSSION is stored or not.
Try this code in your log out script
<?php
session_start();
if(isset($_SESSION['id']))
{
unset($_SESSION['username']);
unset($_SESSION['id']);
}
if(!isset($_SESSION['username']))
{
header("Location: index.php");
}
else
{
exit('Sorry we could not log you out');
}
?>
My problem may seem pretty elementary, but I dont know whats wrong with my code. I have a very simple login system that looks like this:
login.php:
<?php
session_start();
if ($_SESSION['loggedin'] = 1) {
header("Location: admin.php");
}
if ($_GET['login']) {
// Only load the code below if the GET
// variable 'login' is set. You will
// set this when you submit the form
if ($_POST['username'] == 'thenemis'
&& $_POST['password'] == 'slustice') {
// Load code below if both username
// and password submitted are correct
$_SESSION['loggedin'] = 1;
// Set session variable
header("Location: admin.php");
exit;
// Redirect to a protected page
} else echo "Wrong details";
// Otherwise, echo the error message
}
?>
<form action="?login=1" method="post" accept-charset="utf-8">
<fieldset>
<label for="username">Usermame:</label>
<input type="text" name="username" placeholder="username" required>
<label for="password">Password:</label>
<input type="password" name="password" placeholder="password" required>
<input type="submit" value="Login"> </td>
</fieldset>
</form>
This works fine.
admin.php:
<?php
session_start();
// Call this function so your page
// can access session variables
if ($_SESSION['loggedin'] != 1) {
// If the 'loggedin' session variable
// is not equal to 1, then you must
// not let the user see the page.
// So, we'll redirect them to the
// login page (login.php).
header("Location: login.php");
exit;
}
?>
<p>Log out</p>
Now my problem is, that the system keeps me logged even though i clicked the logout URL, which looks like this:
logout.php:
<?php
session_start();
session_destroy();
header("Location: login.php");
?>
There is obviously some elementary mistake with my logout procedure, but I cant seem to find it... Thanks for any help in advance!
You are making assignment here:
if ($_SESSION['loggedin'] = 1) {
header("Location: admin.php");
}
and you should make comparisment
if ($_SESSION['loggedin'] == 1) {
header("Location: admin.php");
}
Try this
<?php
session_destroy();
header('Location: index.php');
exit();
?>
change your admin.php file
<?php
session_start();
if (!isset($_SESSION['loggedin'])) {
header("Location: login.php");
exit;
}
?>
<p>Log out</p>
In login.php you didn't started session_start after user details verified...
try to add session_start(); before $_SESSION['loggedin'] = 1;
This may work for you...
in logout.php
before estroying unset the session variable
using this line
unset($_SESSION['loggedin']);
From the php.net Manual:
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
Use this code (copied from php.net) to logout securely:
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
?>
Just try with the following changes :
In login.php :
if ($_SESSION['loggedin'] == 1) {
header("Location: admin.php");
}
In logout.php :
<?php
session_start();
ob_start();
session_destroy();
$_SESSION['loggedin']=""; //Just empty that session variable
header("Location: login.php");
?>
I think this may help you to resolve your problem.