<?php
session_start();
if (!isset($_SESSION['korisnik'])) {
header("Location: index.php");
} else if(isset($_SESSION['korisnik'])!="") {
header("Location: home.php");
}
if (isset($_GET['Odjava'])) {
unset($_SESSION['korisnik']);
session_unset();
session_destroy();
header("Location: index.php");
exit();
}
?>
Everytime I press logout, home.php is just refreshed and session is not over.
<?php
if (isset($_GET['Odjava'])) {
unset($_SESSION['korisnik']);
session_unset();
session_destroy();
header("Location: index.php");
exit();
}
session_start();
if (!isset($_SESSION['korisnik'])) {
header("Location: index.php");
} else if(isset($_SESSION['korisnik'])!="") {
header("Location: home.php");
}
?>
Try this as you need to check it is set first otherwise your script will redirect as your if statement is above the session destroy
to me this does the trick:
setcookie(session_name(), session_id(), 1);
$_SESSION = [];
i.e first make the session expire
(after the first second in the year 1970),
then clear the $_SESSION variable.
Your first if block is run first and the session is still set at that time. Reverse the order of your if blocks and you may get a better result.
Better to use the PHP documentation approach:
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
?>
In order to delete also the session cookies.
Related
Whenever I run the logout.php script then go back to a page that is protected without login it will have me still logged in
logout.php
<?php
session_start();
session_unset();
session_destroy();
header("Location: ../index.php");
exit();
?>
login.php
$userlogin = user_login($email, $password.$salt);
if ($userlogin==false){
$errors[]='Wrong email/password combination.';
} else {
//set the user session
$_SESSION['UserId']=$userlogin;
$_SESSION['LoginIP']=$_SERVER['REMOTE_ADDR'];
$db->query("UPDATE users SET ipadd='".$_SERVER['REMOTE_ADDR']."' WHERE user_id=".$_SESSION['UserId']."");
echo '<meta http-equiv="refresh" content="0; URL=index.php">';
Check logged in snippet
/* Check if user is logged in or not */
function loggedin(){
return (isset($_SESSION['UserId'])) ? true : false;
}
if (loggedin()==true){
$session_user_id = $_SESSION['UserId'];
$user_data = user_data($session_user_id,'full_name','username');
$rezult =$db->query("SELECT ipadd FROM users WHERE user_id=".$_SESSION['UserId']."");
while($rez = $rezult->fetch_assoc()){
if ($rez['ipadd']==$_SERVER['REMOTE_ADDR']) {
} else {
echo '<meta http-equiv="refresh" content="0; URL=logout2.php">';
}
}
}
Been look at posts with the same question but whatever I try still getting the same issue. Any advice would be extremely appreciated!
this is from php.net http://php.net/manual/en/function.session-destroy.php
Note: You do not have to call session_destroy() from usual code. Cleanup $_SESSION array rather than destroying session data.
so you just need $_SESSION = null, and logout should happen.
I think in your index.php file should have these line:
if(!isset($_SESSION["session_name"])){
header("Location: somewhere_mainpage.php");
}
It is better to make all pages have these line. These line will send header to another page if no session has started.
I believe that session_start(); function call should be on your login page when the user login data is correct, and in your logout PHP code, you should set
session_destroy(); or unset($_SESSION['UserId'];
Logout.php:
<?php
session_destroy();
/* * OR * */
//unset($_SESSION['UserId'];
header("Location: ../index.php");
exit();
?>
<?php
session_unset();
session_destroy();
header("Location: ../index.php");
?>
should work, otherwise you could unset the values
<?php
unset($_SESSION['UserId']); // Unsets the UserId Variable reuse for each variable
session_destroy();
header("Location: ../index.php");
?>
have you tried just session_destroy() ?
also I'm not sure wether you need session_start() when you are closing the session, from memory you only need it to start the session
I always like to destroy the server session, and client cookie, try to manually cover all options in case of any errors.
You can destroy the cookie in PHP with:
setcookie(session_name(), '', time() - 3600, $cookie_path, $cookie_domain, $cookie_secure, $cookie_httponly );
<?php
$cookie_path = "...";
$cookie_domain = "...";
$cookie_secure = "...";
$cookie_httponly = "...";
session_start();
session_unset();
session_destroy();
setcookie(session_name(), '', time() - 3600, $cookie_path, $cookie_domain,$cookie_secure, $cookie_httponly );
header("Location: ../index.php");
exit();
time() - 3600 makes the cookie expiry before the current time, which makes it invalid.
Another option to investigate is session_regenerate_id() on your logout pages. Some reference pages are below:
php.net - session-regenerate-id
https://stackoverflow.com/a/22965580/1246494
I have 2 user level, one is for the admin_tbl and the other is for cashier_tbl they have the same database. My problem is whether I log out either cashier or admin the other one is also log out when I refresh the page. I dont know what the problem is, I used different table so but it log out both of them at the same time? kindly help me with this problem, give me some ideas of whats wrong. Thanks!
UPDATE: Thats my logout code for both cashier_tbl and admin_tbl
This is my code for cashier_tbl
<?php
session_start();
$_SESSION = array();
if (ini_get("session.use_cookies")){
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_destroy();
header("Location: index.php");
?>
And this is for my admin_tbl
<?php
session_start();
$_SESSION = array();
if (ini_get("session.use_cookies")){
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_destroy();
header("Location: index.php");
?>
Your problem on this line :
if (isset($_SESSION['user_id']))
{
header("Location: user_maintenance.php");
}
it's redirect you to user_maintenance.php even if $_SESSION is empty. And on :
if (isset($_SESSION['user_id']))
{
header("Location: order.php");
}
is same to.
These is the others correct way.
I assumed you never set session_unset() or session_destroy() in your logout method.
Delete session_unset() and session_start(); in the first line of your code above, it's not neccessary.
After check the user login method like your code above, in your file order.php and user_maintenance.php, start the session. it would something like this :
<?php
session_start();
// check if the user was login or not
if($_SESSION['login'] == false){
header('Location: user-is-not-login.php');
}
?>
// this area can be access if session is true.
create logout method in location that session was set. something like this :
<?php
session_start();
session_destroy();
session_unset();
header('Location: login.php');
?>
You need to destroy the session before set a new session.
hope these help.
I cannot properly unset the session id of my page unless I close the browser and reopen it. I tried to set the $_SESSION = null; and to forcefully set the cookie to a negative value setcookie('cookiename', '', time()-3600); but no results yet.
<body>
<?php
session_start();
// Unset all of the session variables.
$_SESSION = null;
setcookie('cookiename', '', time()-3600);
session_destroy();
print "SESSION has been destroyed - all session data deleted";
?>
back to home page
</body>
replace lab5destroy.php with below code
<body>
<?php
ini_set('session.use_strict_mode', 1);
session_start();
// Unset all of the session variables.
session_regenerate_id();
session_destroy();
print "SESSION has been destroyed - all session data deleted";
?>
<hr>
back to home page
</hr>
</body>
session_start();
session_unset();
session_destroy();
The fix was session_name() instead of 'cookiename'
I have an index.php which contains my login form and using a session to login. How do I destroy the session everytime a user access the index.php for security?
All you have to do is this:
session_unset();
or:
session_destroy();
depending on your requirement.
References:
http://php.net/manual/en/function.session-destroy.php
http://php.net/manual/en/function.session-unset.php
try this:
<?php unset($_SESSION['whatever']); ?>
Will remove the session.
// Completely remove session and associated data:
<?php
// open the session.
session_start();
// Unset all of the session variables.
$_SESSION = array();
// delete the session cookie.
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_unset();
// Finally, destroy the session.
session_destroy();
?>
My problem may seem pretty elementary, but I dont know whats wrong with my code. I have a very simple login system that looks like this:
login.php:
<?php
session_start();
if ($_SESSION['loggedin'] = 1) {
header("Location: admin.php");
}
if ($_GET['login']) {
// Only load the code below if the GET
// variable 'login' is set. You will
// set this when you submit the form
if ($_POST['username'] == 'thenemis'
&& $_POST['password'] == 'slustice') {
// Load code below if both username
// and password submitted are correct
$_SESSION['loggedin'] = 1;
// Set session variable
header("Location: admin.php");
exit;
// Redirect to a protected page
} else echo "Wrong details";
// Otherwise, echo the error message
}
?>
<form action="?login=1" method="post" accept-charset="utf-8">
<fieldset>
<label for="username">Usermame:</label>
<input type="text" name="username" placeholder="username" required>
<label for="password">Password:</label>
<input type="password" name="password" placeholder="password" required>
<input type="submit" value="Login"> </td>
</fieldset>
</form>
This works fine.
admin.php:
<?php
session_start();
// Call this function so your page
// can access session variables
if ($_SESSION['loggedin'] != 1) {
// If the 'loggedin' session variable
// is not equal to 1, then you must
// not let the user see the page.
// So, we'll redirect them to the
// login page (login.php).
header("Location: login.php");
exit;
}
?>
<p>Log out</p>
Now my problem is, that the system keeps me logged even though i clicked the logout URL, which looks like this:
logout.php:
<?php
session_start();
session_destroy();
header("Location: login.php");
?>
There is obviously some elementary mistake with my logout procedure, but I cant seem to find it... Thanks for any help in advance!
You are making assignment here:
if ($_SESSION['loggedin'] = 1) {
header("Location: admin.php");
}
and you should make comparisment
if ($_SESSION['loggedin'] == 1) {
header("Location: admin.php");
}
Try this
<?php
session_destroy();
header('Location: index.php');
exit();
?>
change your admin.php file
<?php
session_start();
if (!isset($_SESSION['loggedin'])) {
header("Location: login.php");
exit;
}
?>
<p>Log out</p>
In login.php you didn't started session_start after user details verified...
try to add session_start(); before $_SESSION['loggedin'] = 1;
This may work for you...
in logout.php
before estroying unset the session variable
using this line
unset($_SESSION['loggedin']);
From the php.net Manual:
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
Use this code (copied from php.net) to logout securely:
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
?>
Just try with the following changes :
In login.php :
if ($_SESSION['loggedin'] == 1) {
header("Location: admin.php");
}
In logout.php :
<?php
session_start();
ob_start();
session_destroy();
$_SESSION['loggedin']=""; //Just empty that session variable
header("Location: login.php");
?>
I think this may help you to resolve your problem.