Is there any reason that unsetting the session wouldn't be enough for a logout? Is there some security reason more is needed?
I have a script that uses the facebook login (using PHP). But for some reason, using any of the following messes with the login for some reason. After being logged out using any of the codes below, when trying to login using facebook redirect it it forces you to push the button twice for it to recognize that a facebook session has been created.
if (isset( $_COOKIE[session_name()] )) {
setcookie(session_name(), "", time() -3600, "/" );
}
$_SESSION = array();
session_destroy();
Try something like below:
$params = array('next' => 'http://something.com/logout.php');
$logout = $facebook -> getLogoutUrl($params);
$_SESSION['logout'] = $logout; `
Related
I want to log a user programmatically to magento admin. The admin page is in an iframe and it have to redirect automatically to the admin dashboard without authentication. I used a code found in a ancient post and it matches with the magento core source. The code is :
umask(0);
$app = Mage::app('default');
Mage::getSingleton('core/session', array('name' => 'adminhtml'));
// supply username
$user = Mage::getModel('core/factory')->getModel('admin/user')->loadByUsername($loginadmin);
if (Mage::getSingleton('adminhtml/url')->useSecretKey()) {
Mage::getSingleton('adminhtml/url')->renewSecretUrls();
}
$session = Mage::getSingleton('admin/session');
$session->setIsFirstVisit(false);
$session->setUser($user);
$session->setAcl(Mage::getResourceModel('admin/acl')->loadAcl());
Mage::dispatchEvent('admin_session_user_login_success',array('user'=>$user));
if ($session->isLoggedIn()) {
//Redirection vers le dashboard
$url = "index.php/admico/dashboard";
header('Location: '.$url);
}
When I var_dump()the data, the user exists and it have all the informations like firstname, id, etc and it's all correct. The code go inside the last if and redirect to 'index.php/admico/dashboard' so the $session is correctly logged in. But, anyway, the frontpage display the connection form as if the session was not logged in and not the dashboard of the admin.
Can someone help me to figure out what's wrong please ?
Perhaps when the window is redirected in your last conditional, the iframe cannot access that login session on your website. I see that you are using the PHP header function. The only possible solution that I can think of is by getting the SID of the login session and using that as a URL parameter. So some edited code inside your conditional would look something like this:
$SID=$session->getEncryptedSessionId();
$url = "index.php/admico/dashboard?SID=" . $SID;
If that doesn't work, you can try using the PHP function setcookie() with $session as the stored data and then try the redirect. You can find documentation for that here. That's all that I've got for you. If this doesn't work, try looking at this and see if there is anything that may help you. Best of luck!
I have made two changes in the code and it is working fine for me on firefox, safari and chrome. I also cleared up my cookies before I attempted this code.
test.php
<iframe src="http://localhost.site/test_login.php" width="100%"></iframe>
test_login.php
<?php
require 'app/Mage.php';
umask ( 0 );
Mage::app ( 'admin' );
Mage::getSingleton('core/session', array('name' => 'adminhtml'));
// supply username
$user = Mage::getModel('admin/user')->loadByUsername("USERNAME");
if (Mage::getSingleton('adminhtml/url')->useSecretKey()) {
Mage::getSingleton('adminhtml/url')->renewSecretUrls();
}
$session = Mage::getSingleton('admin/session');
$session->setIsFirstVisit(false);
$session->setUser($user);
$session->setAcl(Mage::getResourceModel('admin/acl')->loadAcl());
Mage::dispatchEvent('admin_session_user_login_success',array('user'=>$user));
if ($session->isLoggedIn()) {
//Redirection vers le dashboard
$url = "/admin/dashboard/";
header('Location: '.$url);
}
In order to increase the security for the logged-in users, after the session_start(); and assigning the other session variables, I also try to store the HTTP_USER_AGENT value, using $_SESSION['agent'] = md5($_SERVER['HTTP_USER_AGENT']); for the login.php page.
Besides, in the login.php page, I redirect logged-in users to the home page if they try to visit it again without logging it out first, using the conditional like this:
if (isset($_SESSION['agent']) OR ($_SESSION['agent'] = md5($_SERVER['HTTP_USER_AGENT']) ) ) {
//redirect to home page
header('location:http://index.php.com');
exit();
}
The question is that in my logout.php page I code the conditional like this:
if (!isset($_SESSION['agent']) OR ($_SESSION['agent'] != md5($_SERVER['HTTP_USER_AGENT']) ) ) {
//Redirect to home page
}else{
$_SESSION = array(); // Destroy the variables.
session_destroy(); // Destroy the session itself.
setcookie (session_name(), '', time()-3600); // Destroy the cookie.
}
Then I came back to visit the login.php page again as a logged-in user (session has been set), it still redirected me to the home page.
Then I tried deleting the cookies in the FF browser, close it, then revisited the login.php page, it still redirected me.
Do you know what I was wrong or missing?
NOTE: I have no problem to destroy the session if not storing **the HTTP_USER_AGENT
You have an assignment where you want to check.
Change:
if (isset($_SESSION['agent']) OR ($_SESSION['agent'] = md5($_SERVER['HTTP_USER_AGENT']) ) ) {
to
if (isset($_SESSION['agent']) OR ($_SESSION['agent'] == md5($_SERVER['HTTP_USER_AGENT']) ) ) {
off topic security tip(maybe helpfull):
public function Start_Secure_Session()
{
// Forces sessions to only use cookies.
ini_set('session.use_only_cookies', 1);
// Gets current cookies params
$cookieParams = session_get_cookie_params();
// Set Cookie Params
session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $this->isHTTPS, $this- >deny_java_session_id);
// Sets the session name
session_name($this->session_name);
// Start the php session
session_start();
// If new session or expired, generate new id
if (!isset($_SESSION['new_session']))
{
$_SESSION['new_session'] = "true";
// regenerate the session, delete the old one.
session_regenerate_id(true);
}
}
Edited:
I am too sad that this question was downvoted, I was stuned by this for many hours.I wish there are a lovely alchemist who can make me back from debuff condition.
I am using codeigniter,I think the problem is when the new session (the session with flash message) is set, the session id (as a cookie) does not send to client, so after redirect to other pages, a fresh new session is created.
There is a problem in my log out function. The logic is simply click "log out", redirect to index page with a flash message--You have been log out.
After inspect, I found these things:the old session is clear with no problems, the new session is created before redirection, the new session do has flash message. Then the strange things comes, when redirected to index, a fresh newer session is created. But, If I do not run redirection after adding flash message, and click browser's refresh, then go to index manually, the session with flash message will be there and displayed perfectly.
I also found before redirection or refresh browser, though the session is recreated, there is no session id in my cookies. The refresh action sends session id to my cookies.
I hope I made the question clear. Thank you.
//auth controller
public function logout()
{
$this->my_auth_lib->logout();
$this->session->set_flashdata('alert','You have been logged out!');
redirect('index');
}
//my_auth_lib
public function logout()
{
return $this->session->sess_destroy();
}
// session library sess_destory method
public function sess_destroy()
{
// get session name.
$name = session_name();
if (isset($_COOKIE[$name])) {
// Clear session cookie
$params = session_get_cookie_params();
setcookie($name, '', time() - 42000, $params['path'], $params['domain'], $params['secure'], $params['httponly']);
unset($_COOKIE[$name]);
}
$this->sess_create();
}
//session library sess_create method
public function sess_create()
{
$_SESSION[$this->sess_namespace] = array(
'session_id' => md5(microtime()),
'last_activity' => time()
);
// Set matching values as required
if ($this->_config['sess_match_ip'] === true) {
// Store user IP address
$_SESSION[$this->sess_namespace]['ip_address'] = $this->ci->input->ip_address();
}
if ($this->_config['sess_match_useragent'] === true) {
// Store user agent string
$_SESSION[$this->sess_namespace]['user_agent'] = trim(substr($this->ci->input->user_agent(), 0, 50));
}
$this->store = $_SESSION[$this->sess_namespace];
}
Try putting an
exit;
statement in the line right after the redirect
Got the idea from here
PHP: session isn't saving before header redirect
I have a users only section in my website, but on their first visit to the website (after having quit the browser or being on a new computer or not being logged in for a while), it will take them to the logged in home page fine, but when they try to navigate to a second logged in page from that home, they are automatically logged out. When they log in a second time, the effect is gone and everything works okay.
I have session_start(); at the top of every page.
This is how I generate a session when a user logs in:
session_regenerate_id(true); // destroying the old session id and creating a new one
$_SESSION['id'] = $login;
setcookie("id", $login, strtotime( '+30 days' ), "/", "", "", TRUE);
I have the sessions regenerate for security, but maybe I am doing it wrong and it's causing a problem?
Logged In check:
public function logged_in () {
return(isset($_SESSION['id'])) ? true : false;
}
public function logged_out_protect() {
if ($this->logged_in() === false) {
header('Location: index.php');
exit();
}
}
I am using remember option in my login page.I think I am doing right but when in logout I just amn't able to unset the cookie variable.I am using CI but for cookie I am using native cookie.What am I doint wrong?My code:
in login controller:
function index(){
if(isset($_COOKIE['remember_me'])){
redirect('index');
}elseif($this->input->post()){
$username = $this->input->post('username');
$password = $this->input->post('password');
$remember = $this->input->post('remember');
if($remember){
$time = time()+60*60*24*365;
setcookie('remember_me', $username , $time);
}
$this->session->set_userdata('user_name', $user_name);
$this->session->set_userdata('full_name', $full_name);
$this->session->set_userdata('server', $server->exchange_server);
redirect('index');
}else{
$this->load->view('login');
}
}
function logout(){
$this->session->unset_userdata('user_name');
$this->session->unset_userdata('full_name');
$this->session->unset_userdata('server');
$data['login'] = 'Logout Successfully.';
$data['class'] = 'success';
$this->session->set_flashdata($data);
/* To unset cookie i tried following different approach but to no avail*/
setcookie('remember_me');
setcookie('remember_me', '', $time()-60*60*24*365);
setcookie('remember_me', false);
unset($_COOKIE['remember_me']);
redirect('login');
}
but to no avail. I just can't unset cookie and when user who has checked remember me option trys to logout it's not happening.
Any help/suggestion is welcome.Thanks
I don't know what is the problem but I used jquery plugin for cookie delete {https://github.com/carhartl/jquery-cookie}. I included jquery.cookie.js and then on logout click I deleted the cookie set as $.removeCookie('remember_me')
with
unset($_COOKIE['some_cookie'])
you don't delete the Cookie on the browser, you unset the variabile $_COOKIE['some_cookie'].
If you want delete the browser cookie you have to set the expiration date in the past:
setcookie("some_cookie", "", time()-3600);
If it doesn't work try setting properly the cookie domain.
Create:
setcookie('some_cookie', null, time() + 3600, "/");
Delete:
setcookie('some_cookie', null, time() - 3600, "/");
I don't know what is the problem but I used jquery plugin for cookie delete {https://github.com/carhartl/jquery-cookie}. I included jquery.cookie.js and then on logout click I deleted the cookie set as $.removeCookie('remember_me') and it's working fine.Thanks for the suggestions and help.
Use this function please
delete_cookie()
And for native php cookie use
unset($_COOKIE['remember_me']);
Or use CI function as follows
setcookie('remember_me', null, -1);
That's all