This is frustrating, I've been working with PHP Sessions for a long time and haven't had this problem until now. I'm working on a basic login/logout script using PHP.
Here's what I have for my logout script.
logout.php
<?php
session_start();
unset($_SESSION['email']);
session_destroy();
header("Location:login.php");
?>
And therefore my login.php script has the following code:
login.php
// I send the user to logged_in.php if the session already exists.
if(isset($_SESSION['email'])) header("Location:logged_in.php");
if(pass and username are correct){
$_SESSION['email'] = $email;
session_write_close();
header('Refresh: 1; logged_in.php');
}
Now when I login and I'm redirected to logged_in.php page, form there when I go to logout.php page, instead of being redirected to login.php it goes back to logged_in.php.
Which means that when it arrives to login.php the session still exists and it enters the following if statement in login.php
if(isset($_SESSION['email'])) header("Location:logged_in.php);
Try something like that:
session_start();
// I send the user to logged_in.php if the session already exists.
if(isset($_SESSION['email'])) header("Location:logged_in.php");
if(pass and username are correct){
$_SESSION['email'] = $email;
session_write_close();
header('Refresh: 1; logged_in.php');
}
session_regenerate_id(true) worked for me. I was having the same issue before. It appears that some browsers do not properly delete the session cookie while they are active. Regenerating the ID gives you a fresh session, though you should still of course delete your old session as you have. I'm not quite sure if this is a fix or a workaround, but it works. session_regenerate_id will create a new session variable and delete the old one if you set the parameter to true.
Related
like in when you logged out, it redirects automatically into the log in page.
when I use this code
it just says "this page isn't working localhost redirected to many times
Set the session and session variable after user login successful if user click log-out then unset session variable or destroy the session
Login-check page :
session_start();
$_SESSION['login']=true;
header("location:dashbord.php");
Log-out page:
session_start();
unset($_SESSION['login']);
if(!isset($_SESSION['login']) && empty($_SESSION['login'])){
header("location:index.php");
die;
}
This is my PHP code to end the session but when I click on the back button it still go back into my previous page.
<?php
session_start();
if(session_destroy()) // Destroying All Sessions
{
header("Location: login.php"); // Redirecting To Home Page
}
?>
Really you should not be able to view a page if you are not logged in. Just do this on the top of every page.
<?php
session_start();
//check some value that lets you know if a user is logged in.
if(empty($_SESSION['user_id'])){
header("Location: login.php")
}
the redirect will happen even if your site is cached.
take a look here: http://php.net/manual/en/function.session-destroy.php
This just deletes all data within session but not the session itself, You have also to delete the session id and the session cookie (setcookie())
I have some simple php simple scripts. One is to display login user, and the other one is to log out. These are code fragments from a larger file. Anyway, first I executed the login script and enter the user name, the user name showed up fine. Next I executed the logout. If I entered the login page again, i would expected the login_user to be empty, but it is not. The older login_user name is still there. If I clear the cache and bring up the login page again, the login_user is gone. How do I clear the session data for good? Here is the login.php
<?php
session_start();
$_SESSION['myerror']="XXX";
displayLoginUser();
function displayLoginUser()
{
if (isset ($_SESSION['login_user']))
{
echo $_SESSION['login_user'];
}
} // end displayLoginUser
?>
Here is the logout.php
<?php
// NOTE none of the statements below seem to clear the login_user
$_SESSION['login_user'] = " ";
unset ($_SESSION['login_user']);
session_destroy();
header("location: library.php");
?>
TRY THIS:
session_start();
$_SESSION = array();
session_destroy();
will completely destroy the session and all its variables no need to unset() or anything else
I have a simple website that lets the admins and users log in. There credentials are saved onto a mysql server in 2 separate tables. 1 for user, 1 for admin.
They both of different login pages, user has userlogin.php and admin has adminlogin.php
What i want is, when they are both done with accessing the site, i want them to click logout and through session variables, use just the one logout.php and redirect them to their respective login pages.
So if the user logs out, they should be redirected to userlogin.php and if admin logs out, they should be redirected to adminlogin.php
<?PHP
session_start();
unset($_SESSION["userid"]);
header("Location: userlogin.php");
unset($_SESSION["adminid"]);
header("Location: adminlogin.php");
?>
This is what i have so far.
if(isset($_SESSION["userid"]))
{
unset($_SESSION["userid"]);
header("Location: userlogin.php");
}
elseif(isset($_SESSION["adminid"]))
{
unset($_SESSION["adminid"]);
header("Location: adminlogin.php");
}
die();
Use session_destroy()
logout.php
<?php
session_start();
if(isset($_SESSION["adminid"]))
{
unset($_SESSION["adminid"]);
session_destroy();
header("Location: adminlogin.php");
}
else
{
unset($_SESSION["userid"]);
session_destroy();
header("Location: userlogin.php");
}
?>
<?php
session_start();
header ('Location: ' . (isset($_SESSION['adminid']) ? 'adminlogin.php' : 'userlogin.php'));
$_SESSION = array();
session_destroy();
?>
Since some people asked for an explanation, this code first starts the session with session_start();.
After that, it sets the location header to be sent to the client. The code checks if the adminid is set, if so, we'll redirect to adminlogin.php. If not, we'll just redirect to userlogin.php.
Then, the code sets the $_SESSION to array(); (basically just empties it) so that all the previously set data is gone.
Finally, the session is destroyed and the client will get redirected.
I am using sessions to log users into my site.
The login form sends the input to a login-exec file which then queries the db and validates the login info. I have placed session_start(); at the beginning of the login-exec file and then used the below snippet to write data to the session:
session_regenerate_id();
$member = mysql_fetch_assoc($result);
$_SESSION['SESS_MEMBER_ID'] = $member['id'];
$_SESSION['Username'] = $member['username'];
$_SESSION['key'] = $member['Serial'];
session_write_close();
header('Location: account.php');
at the beginning of the account.php file i have required the auth.php to validate the session.
account.php: require_once('auth.php');
auth.php:
<?php
//Start session
session_start();
//Check whether the session variable SESS_MEMBER_ID is present or not
if(!isset($_SESSION['SESS_MEMBER_ID']) || (trim($_SESSION['SESS_MEMBER_ID']) == '')) {
header("Refresh: 5; url=login.php");
//echo $_SESSION['SESS_MEMBER_ID'];
die("Access Denied!");
exit();
}
?>
Always the first time logging in it returns access denied. When the script redirects back to the login page and I try again it always works... I have saved my php files in UTF-8 Without BOM as I originally thought there was leading white space before the session was started. That did not fix the issue and I really can't figure this out.
Any ideas as to why this is happening?
I believe the issue was the redirection url in my login-exec.php script. For example:
If I loaded the login.php script by going to http://www.mydomain.com/mysubdirectory/login.php and the header redirect in login-exec.php was pointing to http://subdomain.mydomain.com/account.php the PHPSESSID was being regenerated because the domain changed.
So I changed the header redirects to account.php instead of the full url and this resolved the issue.
I could have used a full URL either subdomain.mydomain.com or mydomain.com/subdirectory/ but in doing so would of restricted the user and the scripts portability. So simple answer..ensure the domain is staying the same. If it isn't you can set the session name which I am pretty sure would resolve this aswell. However in my case header('Location: script.php'); did the trick.
Get rid of the session_write_close();
If that doesn't solve it, it might be that you are losing the session in the account.php file.
Make a call to session_start(); before requiring the auth.php page.