I am new to php, but I have 2 years experience in asp.net. When I am calling logout.php It doesn't doesn't removed the cookie values.
<?php
if (isset($_COOKIE['C_username'])) {
unset($_COOKIE["C_username"]);
unset($_COOKIE["C_password"]);
setcookie("C_username", '', time() - 3600);
setcookie("C_password", '', time() - 3600);
}
echo "<script>alert('".$_COOKIE["C_username"]."');</script>" ; //Here the cookie value is found.
header( 'Location: ../index.php');
?>
After redirecting to another index.php, there also the cookie found.
The cookie is not cleared until the page is reloaded by the browser so if you change your javascript to actually look for the cookie on the browser rather than use the PHP (on server) version of it you may get more predictable results.
Also remember that cookies and header() statements must be run before any other data is sent to the browser so your code should be generating an error anyway as your header() statement is after an echo statement.
So try
<?php
if (isset($_COOKIE['C_username'])) {
setcookie("C_username", '', time() - 3600);
setcookie("C_password", '', time() - 3600);
header( 'Location: ../index.php');
exit;
}
echo '<script>alert(document.cookie);</script>";
?>
Additional Point:
Dont put passwords in cookies There is no need to do this anyway as if you are using it to log the user on when they re-visit, you dont need the password you just set the fact that thay are logged in because you see a cookie, it does not need to have a valid userid/password in that/those cookies.
Also remember that cookies can be turned off by the browser!
Related
I have created a logout.php page to let the user sign out from the website and redirects them to the sign in page.
however what ever i do, the cookies are not getting deleted, so when the user gets redirected to the singin page the latter examines the cookies and then find it, therefore logs the user in.
Below is the code of logout.php:
<?php
unset($login);
if (isset($_COOKIE['xxx'])){
setcookie('xxx', false, time() - 3600,"/");
}
if (isset($_COOKIE['yyy'])){
setcookie('yyy', false, time() - 3600,"/");
}
header("Location: singin.php");
die();
?>
Please note that this php page is in subfolder protected by password and the html link redirects to a php file that require() the logout.php file.
use php unset() to delete your cookie as, you can get the complete details here delete the cookie
if (isset($_COOKIE['xxx'])){
unset($_COOKIE['xxx']);
}
if (isset($_COOKIE['yyy'])){
unset($_COOKIE['yyy']);
}
or, set value as null and a negative time for your cookie as
setcookie('xxx', null, -1, '/');
setcookie('yyy', null, -1, '/');
or, set value as empty and a past time for your cookie as
setcookie("xxx", "", time()-3600);
setcookie("yyy", "", time()-3600);
I have found finally the reason behind the issue.
it's because I have put session_cache_limiter('public'); in my code, so which I presume prevents the client to set the cookie to an expiry date.
I have done that because I don't want the client to ask the user each time they hit back to resubmit the form.
It seems that it's not the correct practice, I'll post another question for that.
Thanks all for the help.
I can't figure out why I can't remove a cookie or it's value:
I have simple log in script, when user enters correct login details, this is
setcookie('logged', $admin['username'], time()+60*60*24*365);
Also, session_start() is present on all pages.
When I want to log off a user, the following happens:
if($page=='logoff') {
setcookie('logged', "", time() - 3600);
unset($_COOKIE['logged']); // tried also this
session_destroy();
$_SESSION=null;
header("Location: index.php"); // if this is removed, the code below acts like there's no $_COOKIE['logged'] or it's empty (until refresh)
}
Once it gets redirected to index.php the $_COOKIE['logged'] is back with the old value, like something would set it again (nothing does for sure, I even removed the one and only login cookie set line)
I couldn't find a solution in similar questions. Tested in chrome and IE.
You can't "unset" a cookie. "Expire" it by setting it to a value in the past:
<?php
// set the expiration date to one hour ago
setcookie("logged", "", time() - 3600);
?>
http://www.w3schools.com/php/php_cookies.asp
Here is my login cookies being set
setcookie('username[0]',$username,time()+(60*60*24*365));
setcookie('username[1]',$userid,time()+(60*60*24*365));
setcookie('username[2]',$subscribed,time()+(60*60*24*365));
setcookie('password',md5($password),time()+(60*60*24*365));
setcookie('admin',$admin,time()+(60*60*24*365));
Here is my logout function
function logout($return) {
setcookie('username[0]', '', time()-(60*60*24*365));
setcookie('username[1]', '', time()-(60*60*24*365));
setcookie('username[2]', '', time()-(60*60*24*365));
setcookie('password', '', time()-(60*60*24*365));
setcookie('admin', '', time()-(60*60*24*365));
header( 'Location: ' . $return );
echo "<div class='fontall'><span class='fontdif'>You've been logged out. </span><a href='$return'>Click Here</a><span class='fontdif' to return</span></div>";
}
When i try to log out and return to the page i am still logged in? What did i do wrong?
If you got the 'cannot modify headers' error, it means you echo out something before setcookie. setcookie must do before any content echo out.
Like other headers, cookies must be sent before any output from your
script (this is a protocol restriction). This requires that you place
calls to this function prior to any output, including and
tags as well as any whitespace.
// 1. Find the session
session_start();
// 2. Unset all the session variables
$_SESSION = array();
// 3. Destroy the session cookie
if(isset($_COOKIE[session_name()])) {
setcookie(session_name(), '', time()-42000, '/');
}
// 4. Destroy the session
session_destroy();
That should work.
Probably..u didn't destroy the session?
Nothing seems to be wrong with the code - they should be deleting the cookies. Are you sure that the cookies are not deleting? After you logout, try checking if the cookies exist. You may do so using the browser that show the active cookies. Or alternatively you may try reading the cookies using PHP.
Second, how are you checking if the session is still valid? Can you please share that piece of code? And where do you check your session - do you do them on all pages?
i have this file
secure.php
session_start();
if(empty($_SESSION['u_name'])) {
header("Location:emprego.php");
}
if(isset($_GET['logout'])) {
session_destroy();
header("Location:emprego.php");
}
$name = $_SESSION['u_name'];
?>
<li><?php echo "<a href='emprego.php?logout' id='D'>Logout</a>";?></li>
basically, if i do logout, i will be redirected to emprego.php. But if i click in back page button (arrow in browser), i can view the same page (secure.php).
my question is, why?
thanks
http://nl2.php.net/manual/en/function.session-destroy.php
Take a look at example 1 here. It clearly states that you have to clear $_SESSION as well.
if(isset($_GET['logout'])) {
unset($_SESSION['u_name']); //makes it non-existent (it does unset) that variable
session_destroy();
header("Location:emprego.php");
}
Your browser keeps a copy of the page in cache. When you click the back button, you are seeing the local cached copy, not the current page from the server. If your security is set up properly, you will not be able to do anything meaningful from that cached page.
It is for this reason that secure websites (bank sites, for example) tell you to log off and clear your cache (or close the browser) after you log out.
If you're using session cookies, also try expiring the session cookie explicitly, like this:
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
Also, going back in the browser only loads a cached copy of the page. If you tried interacting with the cached page to fetch a new page from the server, you shouldn't be able to proceed.
I recently found header_remove(); http://php.net/manual/en/function.header-remove.php
Caution: This function will remove all headers set by PHP, including cookies, session and the X-Powered-By headers.
Not sure whether this is the appropriate way to do it, but it's pretty effective for log out functionality.
All the other solutions didn't seem to work for me. However, this workaround did the trick. Basically, the code below keeps calling the logout until the logout finally succeeds:
if (isset($_GET["logout"])){
if (isset($_SESSION["username"])) {
unset($_SESSION["username"]);
session_destroy();
header("Location:/?logout=true");
exit;
}
header("Location:/");
exit;
}
I face some problem on my script that I use PHP and jquery to create login system.
First I have PHP page contain form for login. when user click submit I use jquery to send data to server
$.post('server_login.php', {username:username.val(), password:password.val()}, function(data){
alert(data);
});
in server_login.php I have function to doing login user.
if($_POST['username']=='username' && $_POST['password']=='1234'){
$expire = time() + 60*60*24*30; //1 month expired.
setcookie("user_id", $_POST['username'], $expire);
echo true;
}
and jquery alert "1" on my login page.
the problem is when i refresh my website and retieve cookie, it not show me.
print_r($_COOKIE);
anything wrong?
If the script you are calling is located in another folder on the server (or via url rewrite it appears as if it is under another path), make sure to set the path parameter of the cookie.
By default, setcookie() sets the cookie only for the current path.
If your page is www.domain.com and you make ajax call to www.domain.com/auth/login.php the cookie will be set to /auth and will not be available outside /auth.
So try changing to this:
setcookie("user_id", $_POST['username'], $expire, '/');
I try below code in my script.
Please once try this code if you get cookie value
than something wrong with your code but if this code also
not work than check your browser cookie option enabled or not.
if cookie disabled by browser than also you can't get any cookie
value.
For enabling browser cookie follow below link http://www.blogpatrol.com/enable-cookies.php.
Test Code 1:
$expire = time() + 60*60*24*30; //1 month expired.
setcookie("TestCookie", "shashank patel here", $expire);
print_r($_COOKIE);
Test code 2:
Also check this code with your script this code told you
your browser cookie enabled or not.
error_reporting (E_ALL ^ E_WARNING ^ E_NOTICE);
// Check if cookie has been set or not
if ($_GET['set'] != 'yes')
{
// Set cookie
setcookie ('test', 'test', time() + 60);
// Reload page
header ("Location: test.php?set=yes");
}
else
{
// Check if cookie exists
if (!empty($_COOKIE['test']))
{
echo "Cookies are enabled on your browser";
}
else
{
echo "Cookies are NOT enabled on your browser";
}
}