I have a small website using a session to check for an user login.
When the user click logout the are being redirected to a page containing only session destroy.
The code is as followed:
<?php
session_start();
if(session_destroy()) {
$_SESSION = array();
header("Location: http://domain.com/");
}
exit();
?>
I've tried to remove the if statement to check for any problem when destroying the session.
I have even used unset and setting the array to empty.
Still when redirected to the domain homepage the user is still logged in and the session is still set.
Also i tried to unset the specific session and still nothing happens.
--
Update:
The session is not even being return as an empty value. Echoing the session after logout still returns the value of the username.
This answer should help. As Roland Starke mentioned in a comment, session_destroy will not remove a cookie.
https://stackoverflow.com/a/3512570/3563178
try this.
<?php
session_start();
if(session_destroy()) {
echo '<meta http-equiv="refresh" content="0;URL=http://domain.com">';
}
exit();
?>
I think the header is throwing an error in this particular case of yours. hmmmm.....(Header already sent)...
Related
I'm trying to destroy the session without using session_destroy because I want to carry the information message. My question is if my code is valid, I already reset the session by saying all $_SESSION is an empty array or for security reason using the session_destroy is a must but if I use session_destoy I can't pass the $_SESSION['msg'] anymore.
<?
session_start();
$_SESSION = array();
//session_destoy();
$_SESSION['msg'] = "You have logged out.";
header('Location: index.php');
?>
You need session_unset()
session_unset just clears out the session for usage. The session is
still on the users computer. Note that by using session_unset, the
variable still exists. session_unset just remove all session
variables. it does not destroy the session....so the session would
still be active.
via: http://php.net/manual/en/function.session-unset.php
and then you can do it like
$_SESSION['msg'] = "You have logged out.";
so that the msg is added to session.
OR You can do it like this too:
$msg ="Whatever the message is";
header("Location: index.php?message=$msg ");
In index.php file
if(isset($_GET['message']) && !empty($_GET['message'])){
echo $_GET['message'];
}
1st you should use session_unset(); to remove all session variables/values rather than assigning a new array to it.
The main answer to your query:
I would recommend to use session_destroy() because it removes the internal session ID generated which would be validated at every request coming from a client device. To verify this, just print the session ID using the function echo session_id(); before and after emptying the session in the way you are doing. It would pring the same session ID.
So destroying it first and then creating new will be a good idea.
Once you destroy the session using session_destroy() you can start a new session again and set your message $_SESSION['msg'] in it.
Just user session_unset($_SESSION['session_name']); hope this will work.
You can use cookies; you would keep for example the username, the password and the connection status of the user. When the user comes back to your site, you know who he is and if he is already connected.
setcookie ("Msg", "you have logged out", time () + 3600);
(for a cookie of one hour, you put the time that you want ...)
Your code:
<?
session_start();
$_SESSION = array();
//session_destoy();
$_SESSION['msg'] = "You have logged out.";
header('Location: index.php');
?>
in the index page do below stuff:
<?php
if(!empty($_SESSION['msg']) && isset($_SESSION['msg'])){
echo $_SESSION['msg'];
unset($_SESSION['msg']);
}
?>
this will show your message once and unset it immediately.
There are two login pages and if one page is logged out other also automatically getting logged out how to change that?
adminlogout.php
<?php
session_start();
unset($_SESSION['ADMIN_UNAME']);
session_destroy();
header("location: adminlogin.php?logout=true");
?>
logout.php
<?php
session_start();
unset($_SESSION['SESS_MEMBER_ID']);
session_destroy();
header("location: login.php");
?>
Please remove session_destroy() function. session_destroy() delete complete session information for request with sessionid from the server. Hence both scripts logouts.
adminlogout.php
<?php
session_start();
unset($_SESSION['ADMIN_UNAME']);
header("location: adminlogin.php?logout=true");
?>
logout.php
<?php
session_start();
unset($_SESSION['SESS_MEMBER_ID']);
header("location: login.php");
?>
When you use session_destroy(); you completely remove everything the server knows about your current session. Note a session survives while the current browser instance is open, if you destroy the session you destroy all the session globals.
If you want to logout of just the admin or a normal user you should just change a session variable to reflect that.
As the others already pointed out, the problem is the call of session_destroy() as this destroy the whole session.
But I'd like to add that you should maybe consider using a multidimensional array in your session for different purposes or, what is even better, use different sessions as they are in completely different areas (e.g. the admin session should definitely not be shared with a normal user session, using HTTPS cookies, etc.).
unset the session variable or make the session variable as empty in logout.php
adminlogout.php
<?php
session_start();
$_SESSION['ADMIN_UNAME']='';
header("location: adminlogin.php?logout=true");
?>
logout.php
<?php
session_start();
$_SESSION['SESS_MEMBER_ID']='';
header("Location:login.php");
?>
I have 3 login forms in my page, clicking logout is destroying all the sessions and logging them all out.
I know that session_destroy() destroys all the data associated with the current session but could i give it a parameter or is there any way to specify which session to destroy?
I have tried using unset without the session_destroy but it won't logout the user
Code edited:
<?php
if(isset($_GET['auth'])){
if($_GET['auth']=='parent'){
session_name('parent');
session_start();
if(isset($_SESSION['parent']))
unset($_SESSION['parent']);
session_destroy();
}}
if(isset($_GET['auth'])){
if($_GET['auth']=='employee'){
session_name('employee');
session_start();
if(isset($_SESSION['employee']))
unset($_SESSION['employee']);
session_destroy();
}}
if(isset($_GET['auth'])){
if($_GET['auth']=='student'){
session_name('student');
session_start();
if(isset($_SESSION['student']))
unset($_SESSION['student']);
session_destroy();
}}
header("Location: login.php");
?>
I have added session_name to get different sessions, i am able to destroy the session but i can't have multiple sessions in the same page!
Please use session_start(); once at the top of the page.
After successful login, please check all the sessions that is set, for example in your case.
$_SESSION['parent'];
$_SESSION['employee'];
$_SESSION['student'];
session_name(''); will override the previous session's name, so you don't have to use session_name here.
If you check there is a value for specific session or the session name is exist
unset($_SESSION('your_session_key'));
Hope it will work.
Thanks
i am creating a website with login and logout and registration but an error appear every time i want to logout how to fix it i think the eroor is in the session this error make me crazy i did a lot of search about fixing the problem but i did not get any solution that help me.
logout.php
<?php
session_start();
session_destroy();
if(isset($_COOKIE['id_cookie'])){
setcookie("id_cookie", "", time()-50000,"/");
setcookie("pass_cookie", "", time()-50000,"/");
}
if(isset($_SESSION['username'])){
echo("we could not log out try again!");
exit();
}else{
header("Location: home.php");
}
?>
Not sure of your error, but reading about session_destroy would help you out.
My guess is the error is when checking if(isset($_SESSION['username'])){, as, according to the manual:
session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.
You never start the session again, so you can't use session variables.
Also, for further assistance with logging a user out, the following from the same page will help:
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
And while it's not in the scope of the question - it will help you make a successful logout script.
session_destroy(); destroys all the sessions, so im not following the point of your If statement to check for username session ??
Secondly you don't actually need brackets for echo:
echo("we could not log out try again!"); exit();
Can be written as:
echo "we could not log out try again!"; exit;
<?php
session_start();
session_destroy();
if(isset($_COOKIE['id_cookie'])){
setcookie("id_cookie", "", time()-50000,"/");
setcookie("pass_cookie", "", time()-50000,"/");
}
header("Location: home.php");
exit();
?>
I am writing a script which is supposed to end a session for a user, and log them out of the system, thus returning them to the login page.
My logout script looks like this:
<?php
$_SESSION['signin'] = null;
session_destroy();
header("Location: /test/index.php");
?>
Initially I reset the signin variable that way even if the session isn't destroyed the variable should have at least changed so that the system believes the user is logged out.
And at the top of my login page I have a condition to forward them to the home page if they are already logged in, that way that can't visit the log in page once already logged in. This portion looks like this:
<?php
session_start();
if($_SESSION['signin'] == 5)
{
header("Location: /test/home.php");
}
?>
So in short, when someone is logged in, and clicks the link to logout it utilizes the first code block to log out, and then is forwarded to the page containing the second blcok of code.
However, this page still forwards me back to the home page, believing the user is still signed in and thus I'm guessing the signin variable was not reset.
Thoughts on how to solve my issue?
session_destroy() does not unset any of the global variables within the session. Simply using:
session_unset();
to unset all global variables, or to only unset the specified variable, use:
unset($_SESSION['signin']);
You can try something like this.
session_unset()
you don't have to use
$_SESSION['signin'] = null;
using session_destroy(); should be enough
and I don't exactly know the deep stuff of PHP, but if you set a $_SESSION variable to NULL, PHP could read it as it is set to NULL which means 'it is set'? (don't know for sure though)
In this case, if you want to destroy a variable, you could do this:
Have a page named logout.php and whenever the user needs to logout, redirect him/her to that page. Now, inside that page you'll put the following, and here I'll explain you what this does:
<?php
session_start(); //Initializes the session
unset($_SESSION['thenameofyoursession']); //This unsets a specific session, so the user is logged out, in this case it would unset "thenameofyoursession".
$URL="/test/home.php"; //This is the redirect URL
header ("Location: $URL"); //This basically will send the user back to the redirect URL using header.
die(); //terminates the PHP script from running
?>
With that you should be fine.
Your procedure is fairly obvious and similar to one that we use, however, it would be best to unset() the entire session if nothing in it is valid. -- If they aren't logged in, no session variables should exist.
My logout.php script includes this:
session_start();
session_register("loginMessage");
session_unregister("authenticatedUser");
session_destroy();
// relocate back to login page
header("Location: /");
Which works. session_unset() is historically redundant.
Hope this helps.