the problem is the session isn't destroyed when you logout so that you can still access some page that you ought not to access it, i placed an echo statement containing the login_user of the array $_SESSION and whenever you logout and paste the link of that page the login_user was printed successfully what's wrong with my code,I've even tried other ways than unset such as changing the value of login_user to "" nothing is changed.
login page code(named:HomeTest.php)
<?php
require("./config.php");
if ($_SERVER["REQUEST_METHOD"] == "POST"){
session_start();
....
if($count == 1) {
$_SESSION['login_user'] = $myusername;
header("location: welcome.php");
}else {
$error = "Your username or password is incorrect";
}
}
session.php :
<?php
require_once('./config.php');
session_start();
$user_check = $_SESSION['login_user'];
$ses_sql = mysqli_query($conn,"select username from accounts where username = '$user_check' ");
$row = mysqli_fetch_array($ses_sql,MYSQLI_ASSOC);
$login_session = $row['username'];
if(!isset($_SESSION['login_user'])){
header("location:HomeTest.php");
}
?>
logout.php :
<?php
session_start();
if(session_destroy()) {
unset($_SESSION['login_user']);
header("Location: login.php");
}
?>
another page that shouldn't be accessed unless you're signed in :
<?php
require_once("./config.php");
require_once('./session.php');
if(!isset($_SESSION['login_user'])){
header("location:HomeTest.php");
die("");
}
?>
Use following code for logout.php
<?php
session_start();
session_destroy();
header("Location: login.php");
?>
Hope this will work
the probleme is because
if(session_destroy()) {}
does not return true
you can change that condition by
if(isset($_SESSION['login_user']))
Use the following code:
<?php
session_start();
session_unset();
Related
So normally my session should end when I press logout button on my page but when I go to the previous page via the button (top left). I just go back to my page logged in..
This is my login page code
<?php
session_start();
$errors = array();
if(isset($_POST["name"]) and isset($_POST["password"])) {
$conn = mysqli_connect("localhost", "root", "123", "whoosh") or die("No connection made: ".mysqli_connect_error());
$name = $_POST["name"];
$password = $_POST["password"];
if (empty($name)) { array_push($errors, "Ename is required"); }
if (empty($password)) { array_push($errors, "Password is required"); }
if (count($errors) == 0) {
$query = "SELECT * FROM tbl_user WHERE name='$name' AND password='$password'";
$results = mysqli_query($conn, $query);
$user = mysqli_fetch_assoc($results);
if ($user) { // if user exists
if ($user['name'] === $name and $user['password'] === $password) {
$_SESSION['user'] = $user['id'];
header('location: mainsite.php');
}
}
}
}
?>
This is the code I put on my main site thats allows me to logout.
<?php
session_start();
if(isset($_GET['logout'])){
$_SESSION['name'] = null;
header('Location:http://leopard.med.agfa.be/leopard/website/logIn.php');
}
session_destroy();
?>
So, why is my session not working properly and doesnt log out completely?
Try this one! I dont see any where you passing name to session.
if(isset($_GET['logout'])){
// Initialize the session
session_start();
// Unset all of the session variables
session_unset();
$_SESSION = array();
// Destroy the session.
session_destroy();
unset($_SESSION['user']);
// Redirect to login page
header('Location:http://leopard.med.agfa.be/leopard/website/logIn.php');
exit();
}
Note: I used both unset() and destroy() functions you can use one.
Change the logout script to this:
<?php
if(isset($_GET['logout'])){
// null the _SESSION
$_SESSION = null;
// unset $_SESSION variable for the run-time
session_unset();
// destroy session data in storage
session_destroy();
// last, redirect
header('Location:http://leopard.med.agfa.be/leopard/website/logIn.php');
}
?>
I have a login page in PHP just done for testing, I know my code is not secure.
I did below code to get some data from table and display in table:
session_start();
include("config.php");
if(isset($_SESSION['email']) && $_SESSION['email'] == true){
$user_email=$_SESSION['email'];
$check_user="select * from admin WHERE user_email='$user_email'";
$run=mysqli_query($link,$check_user);
while($row = $run->fetch_assoc()){
$_SESSION['access']=$row['access'];
$_SESSION['name']=$row['user_name'];
}
}
Till here it's working properly, when I login into my page using following code for login page:
session_start();
include("config.php");
if(isset($_POST['login'])){
$user_email=$_POST['email'];
$user_pass=$_POST['pass'];
$check_user="select * from admin WHERE user_email='$user_email'AND user_pass='$user_pass'";
$run=mysqli_query($link,$check_user);
if(mysqli_num_rows($run)>0){
$_SESSION['email']=$user_email;
$_SESSION['access']=$result['access'];
//here session is used and value of $user_email store in $_SESSION.
echo "<script>window.open('index.php','_self')</script>";
}else{
echo "<script>alert('Email or password is incorrect!')</script>";
}
}
But when I'm trying to add the following code for redirecting user if not logged in, even if I login I'm redirected to login page again and again.
The mistake is with the below code:
session_start();
include("config.php");
if(isset($_SESSION['email']) && $_SESSION['email'] == true){
$user_email=$_SESSION['email'];
$check_user="select * from admin WHERE user_email='$user_email'";
$run=mysqli_query($link,$check_user);
while($row = $run->fetch_assoc()){
$_SESSION['access']=$row['access'];
$_SESSION['name']=$row['user_name'];
}
}
//if login in session is not set
if(!isset($_SESSION['login'])){
header("Location: login.php");
}
I am new to php, can anyone please tell me what is wrong with my code?
<?php
session_start();
include("config.php");
if(isset($_SESSION['email']))
{
$user_email=$_SESSION['email'];
$check_user="select * from admin WHERE user_email='$user_email'";
$run=mysqli_query($link,$check_user);
while($row = mysqli_fetch_array($run))
{
$_SESSION['access']=$row['access'];
$_SESSION['name']=$row['user_name'];
$_SESSION['login']=$row['user_login'];
}
}
if(!isset($_SESSION['login'])){ //if login in session is not set
header("Location: login.php");}
?>
3 code
<?php
session_start();
include("config.php");
if(isset($_POST['email']) && isset($_POST['pass']))
{
$user_email=$_POST['email'];
$user_pass=$_POST['pass'];
$check_user="select * from admin WHERE user_email='$user_email' AND user_pass='$user_pass'";
$run=mysqli_query($link,$check_user);
if(mysqli_num_rows($run)>0)
{
while($row=mysqli_fetch_array($run)){
$_SESSION['email']=$user_email;
$_SESSION['access']=$result['access'];
}
//here session is used and value of $user_email store in $_SESSION.
echo "<script>window.open('index.php','_self')</script>";
}
else
{
echo "<script>alert('Email or password is incorrect!')</script>";
}
}?>
2 code
<?php
session_start();
include("config.php");
if(isset($_SESSION['email']))
{
$user_email=$_SESSION['email'];
$check_user="select * from admin WHERE user_email='$user_email'";
$run=mysqli_query($link,$check_user);
while($row = mysql_fetch_array($run))
{
$_SESSION['access']=$row['access'];
$_SESSION['name']=$row['user_name'];
}
}
?>
1 code
I want to redirect on the same page after login, but I need conditions like if username and password come from index.php then page will redirect to dashboard.php, else it will redirect on the same page (exmple.php).
login.php:
<?php
include ('include/connection.php');
if (isset($_POST['loginform'])) {
session_start();
$email = trim(mysql_escape_string($_POST['email']));
$passwords = trim(mysql_escape_string($_POST['pwd']));
$password = md5($passwords);
$verify_query = "SELECT * FROM end_user WHERE (email='$email' AND password='$password')";
verify_result = mysqli_query($con, $verify_query);
if(!$verify_result){
echo '<h2>Couldnot Process your request Please try to login after some time. </h2>';
}
if (#mysqli_num_rows($verify_result) == 1) {
$_SESSION = mysqli_fetch_array($verify_result, MYSQLI_ASSOC);
header("Location: dashboard.php");
}
else {
echo '<h2 style="color:#CC3300;">Incorrect Credentials, You need to register Here</h2>';
}
mysqli_close($con);
}
?>
index.php:
session_start(); // starts the session
$_SESSION['url'] = $_SERVER['REQUEST_URI'];
And I used the same code in example.php, so that I can get the URL in $_SESSION.
From Your index.php login form pass an hidden field like
<input type="hidden" name="extrafield" value="fromindex">
Then
<?php
include ('include/connection.php');
if (isset($_POST['loginform'])) {
session_start();
$email = trim(mysql_escape_string($_POST['email']));
$passwords = trim(mysql_escape_string($_POST['pwd']));
$password = md5($passwords);
$verify_query = "SELECT * FROM end_user WHERE (email='$email' AND password='$password')";
$verify_result = mysqli_query($con, $verify_query);
if(!$verify_result){
?>
<?php
echo '<h2>Couldnot Process your request Please try to login after some time. </h2>';
}
if (#mysqli_num_rows($verify_result) == 1)
{
$_SESSION = mysqli_fetch_array($verify_result, MYSQLI_ASSOC);
if(isset($_POST['extrafield']) == 'fromindex'){
header("Location: dashboard.php");
} else {
header("Location: exmple.php");
}
}else
{
?>
<?php echo '<h2 style="color:#CC3300;">Incorrect Credentials, You need to register Here </h2>';
}
mysqli_close($con);
}
?>
Please help with my logout script. I am sorry for dumb mistakes I am very new to php. Please provide me with details and examples of how to fix this. Thank you so much.
Login Page: There are 4 types of users. Each user will get a separate home page.
<?php
session_start();
require_once('common/config.php');
if(isset($_POST['username']))
{
$username = $_POST['username'];
$password = $_POST['password'];
$sql = "SELECT * FROM `users` WHERE username='".$username."' and password='".$password."'";
$result = mysql_query($sql) or die(mysql_error());
$fetched = mysql_fetch_array($result);
if ($fetched['user_type'] == "admin")
{
header('location: adminhomepage.php');
}
else if ($fetched['user_type'] == "po")
{
header('location: pohomepage.php');
}
else if ($fetched['user_type'] == "pw")
{
header('location: pwhomepage.php');
}
else if ($fetched['user_type'] == "ps")
{
header('location: pshomepage.php');
}
else
{
header('location: invalid.php');
exit();
}
}
?>
Home Page: For instance this is the admin home page.
<?php
session_start();
if (isset($_SESSION['username']) && ($_SESSION['username'] !== 1))
{
header('Location: login.php');
}
?>
Logout Page
<?php
session_start();
$_SESSION['username'] =0;
?>
Logout Button
<form action = "logout.php">
<input id="logoutbutton" type="submit" value="Logout">
</form>
logout page
<?php
session_start();
unset($_SESSION['susername']);
$_SESSION['susername'] = "";
session_destroy();
header("location:index.php");
?>
login.php
session_start();
if (isset($_SESSION['uname']) == "")
{
require_once('index.php');
}
$user_name = $_POST['user_name'];
$user_pass = $_POST['user_pass'];
$_SESSION['susername'] = $user_name; // or other value
logout page -
<?php
session_start();
$_SESSION['username'] =0;
?>
you have to start the session first before accessing it.
In your logout.php please update this code...
<?php
session_start();
if(isset($_SESSION['username']))
{
unset($_SESSION['username']);
header('Location: login.php');
}
?>
use unset($_SESSION['susername']) or session_destroy
Edit:
With your new information, it's clear you never actually set the $_SESSION['username'] value.
if ($fetched['user_type'] == "admin")
{
$_SESSION['username'] = $username;
header('location: adminhomepage.php');
}
else if ($fetched['user_type'] == "po")
{
$_SESSION['username'] = $username;
header('location: pohomepage.php');
}
else if ($fetched['user_type'] == "pw")
{
$_SESSION['username'] = $username;
header('location: pwhomepage.php');
}
else if ($fetched['user_type'] == "ps")
{
$_SESSION['username'] = $username;
header('location: pshomepage.php');
}
else
{
header('location: invalid.php');
}
exit();
Your problem is your comparison.
if ($_SESSION['username'] != 1)
This is true if $_SESSION['username'] is not set, null, a string, false, etc...
This might be more what you are looking for.
if (isset($_SESSION['username']) && is_string($_SESSION['username']) && strlen($_SESSION['username']))
And you need to fix your SQL injection problem here
$sql = "SELECT * FROM `users` WHERE username='".$username."' and password='".$password."'";
Escape variables with mysql_real_escape_string or use PDO with proper prepared statements.
You should also store passwords as hashes with password_hash(). Fetch the user, compare stored hash to password with password_verify.
if (!password_verify($password, $fetched["password"])) {/* wrong password, show error or something */}
if ($count == 1) {
$_SESSION["authenticated"] = $row[0]; //register session with user id
header("Location: success.php");
}
success.php:
<?
session_start();
if (isset($_SESSION['authenticated'])) {
header("Location: view.php");
} else {
header("Location: index.php");
}
?>
It doesn't seem to be working it keeps redirecting me to index.php like the session was never registered. What am I doing wrong?
You need to add session_start() into first block
if ($count == 1) {
session_start();
$_SESSION["authenticated"] = $row[0]; //register session with user id
header("Location: view.php");
exit;
}
And there is no sense in having success.php. Just send a user directly to view.php
where you have to verify user authentication again:
<?
session_start();
if (empty($_SESSION['authenticated'])) {
header("Location: index.php");
exit;
}
?>
and exit is obligatory after Location, or your protection will protect nothing