This is my PHP code to end the session but when I click on the back button it still go back into my previous page.
<?php
session_start();
if(session_destroy()) // Destroying All Sessions
{
header("Location: login.php"); // Redirecting To Home Page
}
?>
Really you should not be able to view a page if you are not logged in. Just do this on the top of every page.
<?php
session_start();
//check some value that lets you know if a user is logged in.
if(empty($_SESSION['user_id'])){
header("Location: login.php")
}
the redirect will happen even if your site is cached.
take a look here: http://php.net/manual/en/function.session-destroy.php
This just deletes all data within session but not the session itself, You have also to delete the session id and the session cookie (setcookie())
Related
like in when you logged out, it redirects automatically into the log in page.
when I use this code
it just says "this page isn't working localhost redirected to many times
Set the session and session variable after user login successful if user click log-out then unset session variable or destroy the session
Login-check page :
session_start();
$_SESSION['login']=true;
header("location:dashbord.php");
Log-out page:
session_start();
unset($_SESSION['login']);
if(!isset($_SESSION['login']) && empty($_SESSION['login'])){
header("location:index.php");
die;
}
Hello i am trying to destory session when i press signout button then it's logging out and redirecting to login page; but when click back in browser that page is loading with loign menu on top.
And i have wrote a code in everypage as if session not available redirect to login page.
Here is my logout code for session_destroy:
elseif(isset($_GET['type']) && $_GET['type']== "logout" )
{
if (!isset($_SESSION['id'])) {
header('location:index.php');
} else {
session_destroy();
$_SESSION = array();
header('location:index.php');
}
}
here is the code what i have mentioned in all pages:
session_start();
include_once('includes/config.php');
if(!isset($_SESSION['id'])) {
header('location:login.php');
}
So my question is completly logout if press back it should not load and has to redirect to login page.
<?php
session_start();
if($_SESSION['id']){
unset($_SESSION['id']); // destroys the specified session.
}
header('Location:index.php'); //redirect to preferred page after unset the session
?>
session_destroy()
By this function you can destroy all session at browser. If you work with php you should write :
ob_start ();
session_start();
By this your buffer also flush and new start session. Try with it.
Create a page like signout.php, And set signout button link to this page.
Example
Signout
Add below codes for signout.php page.
session_start(); #Start new or resume existing session
#session_unset($_SESSION['key']); #Free specific session variable if you want, OR
session_destroy(); #Destroys all data registered to a session
header('location:login.php'); #Redirect to login page after logout
This should work for you!
Try in this way :
session_start();
unset($_SESSION["id"]);
session_destroy();
header('location:index');
I've got a login page then I made a link to a page called logout and it contains this code:
logout.php
<?php
session_unset();
session_destroy();
header("Location:");
?>
Yet when I log out then hit the back button it takes me back. How do I change it so that it ask you to login again before showing you your previous page?
On the page you're going back to (or any page for that matter) you need to do checks to see if the user is logged in or not (i.e. has a valid session) and if not, redirect them to the login page.
Additionally, it might help for you to add some no-caching headers to this particular piece of code.
You have not set any location to redirect to.
Should be:
header("Location:http://example.com/login.php");
This way when you logout, it will redirect the browser to login.php.
EDIT:
Also, it would help to add a session validation condition to your main page.
Somenthing like:
if(!isset($_SESSION))
{
header("Location:http://example.com/login.php");
}
Before loading every page (or atleast, every PRIVATE/RESERVED page) you should check the $_SESSION variable to determine if the user is legally logged in or not.
If you don't perform this check, everybody would be able to visit every page of your website if they have the direct link to it. They may see a broken version of the page, but the access is granted nevertheless to not logged users.
<?php
session_start();
session_unset();
session_destroy();
session_write_close();
setcookie(session_name(),'',0,'/');
session_regenerate_id(true);
?>
source: Manual
try this to check on each page if the user is logged in
if (!$_SESSION['logged_in']) { //you would have to make $_SESSION['logged_in'] when they login
header('location: login.php');
}
all this does is say if $_SESSION['logged_in'] is NOT set redirect them to the login page.
You would also need to other checks to make it secure.
My site uses a simple login system that creates a cookie for the username and a login session. If someone visits home.php and the login session is set as logged in, they are pushed to the logged in area. Otherwise they login using a simple form and handler page. To logout users click a link which takes them to logout.php which contains the following code:
<?
session_start();
setcookie(username, $username, time()-360000);
session_start($_SESSION['login']);
$_SESSION["Login"] = "no";
header("Location: home.php");
session_destroy();
?>
Here is what is going on. Users who click the logout button are kicked out to the page home.php correctly. If they refresh the page they remain on the home.php page. Seems good so far.
However, if they navigate away from the home page, they are brought into the logged in area. And if they go to the url of a logged in area they are not kicked out (because the session checking script confirms the session value is set as logged in).
I'm dumbfounded. I am not a PHP pro by any means though--what am I doing wrong???
To invalidate your session you only need to delete your cookie.
setcookie("username", "", time()-360000);
will do the job. please note that username should be in quotes " otherwise it will not refer to a cookie name.
So your code in logout will be like below
<?
session_start();
setcookie("username", "", time()-3600);
header("Location: home.php");
?>
When User Logs in and is validated you need to set a cookie for them and then redirect them to your authenticated url
You also need to check your cookie at start of each page in your authenticated area like following
<?
session_start();
if (!isset($_COOKIE["username"]))
header("Location: home.php");
?>
hope this helps
Here is another sample of setting, using and deleting cookies
I am trying to set all of my pages to forward to the login screen if the user is not logged in using session data, however it is not working. When a user clicks the links it just continues to the new link as opposed to being forwarded to the login page. I know the session data is cleared so that is not the issue.
Here's the relevant Code:
Page Headers:
<?php
session_start();
if(!isset($_SESSION['answer']))
{
header('Location: /?login');
exit;
}?>
Login Session Declaration:
$answer = mssql_fetch_array($res);
$_SESSION['answer']=$answer[0];
Logout:
<?php
session_start();
session_destroy();
if(!isset($_SESSION['answer']))
{
header('Location: /?login');
exit;
}
?>
session_destroy doesn't unset any global variables.
If you need to redirect unconditionally right after session destroy - just remove isset, you don't need it.
In response on how to do this on every other page:
I use a required at the beginning of every secured php page on my site. I call it "auth.php". If the user is not logged in(check via session variable), the auth.php re-directs them to the login page.
If you have a header, this is a great place to put it (if it's only included in the secured section, which mine is).
My logout page destroys the session and sends them to the login page.