I have some simple php simple scripts. One is to display login user, and the other one is to log out. These are code fragments from a larger file. Anyway, first I executed the login script and enter the user name, the user name showed up fine. Next I executed the logout. If I entered the login page again, i would expected the login_user to be empty, but it is not. The older login_user name is still there. If I clear the cache and bring up the login page again, the login_user is gone. How do I clear the session data for good? Here is the login.php
<?php
session_start();
$_SESSION['myerror']="XXX";
displayLoginUser();
function displayLoginUser()
{
if (isset ($_SESSION['login_user']))
{
echo $_SESSION['login_user'];
}
} // end displayLoginUser
?>
Here is the logout.php
<?php
// NOTE none of the statements below seem to clear the login_user
$_SESSION['login_user'] = " ";
unset ($_SESSION['login_user']);
session_destroy();
header("location: library.php");
?>
TRY THIS:
session_start();
$_SESSION = array();
session_destroy();
will completely destroy the session and all its variables no need to unset() or anything else
Related
This is just about the last thing I have left to do and I will have officially created my first PHP registration/login system.
What I have is a file called checksession.php. This file checks to see if a user is logged in/has a session created. If the user does, it should let them view their account page. If it isnt, it should send them to index.php.
As it stands, it is sending the user back to index.php even after successfully logging in. I am not sure what I am doing wrong in this script.
checksession.php
<?php
include('includes/db.php');
session_start();
$userSession = $_SESSION['username'];
$sql = mysqli_query($db, "SELECT emailAddress FROM users WHERE emailAddress='$username' ");
$row=mysqli_fetch_array($sql,MYSQLI_ASSOC);
$login_user=$row['emailAddress'];
if(!isset($userSession )) {
header("Location: index.php");
}
?>
username is referencing the username field they are filling out when logging in on the login form which is login.php.
On their account page, which in this case is account.php, I have the following:
<?php
include("includes/checksession.php");
?>
Should this be redirecting to index.php or should it be setting the session based on the username they are inputting? I did make sure the start_session(); on my login.php page as well.
Make sure its session_start(); on my login.php page not start_session();
Try to echo out the $userSession and $_SESSION['username'] to see what they actually hold
Try the statement this way
.
if(isset($_SESSION['username'])) {
//do what ever
}else{
header("Location: index.php");
}
The Variable $userSession will always be set, it may me be null or empty string but it will always be set from your code.
Change the check to:
if(!isset($_SESSION['username'])) {
header("Location: index.php");
}
Ok
I dont know if this is the best way to do this as I think I may be over complicating this but here we go:
I took the check.php code and actually dropped this into my login code in order to set the SESSION.
Right below that I have the following code:
if(mysqli_num_rows($result) == 1) {
$_SESSION['username'] = $login_user; // Initializing Session
header("location: account.php"); // Redirecting To Other Page
} else {...
Logged in and voila. I am taken to my account.php like I would expect to be. If I log out and then try to view account.php, I am bounced back over to index.php.
This is frustrating, I've been working with PHP Sessions for a long time and haven't had this problem until now. I'm working on a basic login/logout script using PHP.
Here's what I have for my logout script.
logout.php
<?php
session_start();
unset($_SESSION['email']);
session_destroy();
header("Location:login.php");
?>
And therefore my login.php script has the following code:
login.php
// I send the user to logged_in.php if the session already exists.
if(isset($_SESSION['email'])) header("Location:logged_in.php");
if(pass and username are correct){
$_SESSION['email'] = $email;
session_write_close();
header('Refresh: 1; logged_in.php');
}
Now when I login and I'm redirected to logged_in.php page, form there when I go to logout.php page, instead of being redirected to login.php it goes back to logged_in.php.
Which means that when it arrives to login.php the session still exists and it enters the following if statement in login.php
if(isset($_SESSION['email'])) header("Location:logged_in.php);
Try something like that:
session_start();
// I send the user to logged_in.php if the session already exists.
if(isset($_SESSION['email'])) header("Location:logged_in.php");
if(pass and username are correct){
$_SESSION['email'] = $email;
session_write_close();
header('Refresh: 1; logged_in.php');
}
session_regenerate_id(true) worked for me. I was having the same issue before. It appears that some browsers do not properly delete the session cookie while they are active. Regenerating the ID gives you a fresh session, though you should still of course delete your old session as you have. I'm not quite sure if this is a fix or a workaround, but it works. session_regenerate_id will create a new session variable and delete the old one if you set the parameter to true.
I have a small website using a session to check for an user login.
When the user click logout the are being redirected to a page containing only session destroy.
The code is as followed:
<?php
session_start();
if(session_destroy()) {
$_SESSION = array();
header("Location: http://domain.com/");
}
exit();
?>
I've tried to remove the if statement to check for any problem when destroying the session.
I have even used unset and setting the array to empty.
Still when redirected to the domain homepage the user is still logged in and the session is still set.
Also i tried to unset the specific session and still nothing happens.
--
Update:
The session is not even being return as an empty value. Echoing the session after logout still returns the value of the username.
This answer should help. As Roland Starke mentioned in a comment, session_destroy will not remove a cookie.
https://stackoverflow.com/a/3512570/3563178
try this.
<?php
session_start();
if(session_destroy()) {
echo '<meta http-equiv="refresh" content="0;URL=http://domain.com">';
}
exit();
?>
I think the header is throwing an error in this particular case of yours. hmmmm.....(Header already sent)...
I am trying to verify that a user has logged in before showing them the page, using the method below, while the if/else method works when wrapped around plain html, it is failing when there is php involved. I am a novice by the way. What happens is the page simply loads as if the two tags below weren't there...which would be fine had I previously logged in, but I hadn't.
<?php
session_start();
if(isset($_SESSION['user'])) {
?>
HTML/PHP Page goes here.
<?php
} else {
header("Location: cms/admin/loginreadmode.php");
}
?>
Thanks in advance,
You can debug just below your session_start(); by printing your session:
echo '<pre>';
print_r($_SESSION);
die();
If $_SESSION['user'] isn't showing up in your array it isn't be set.
You can do this like this:
session_start();
$_SESSION['user'] = true;
Are you sure that you have add session support in every page?
if (!isset($_SESSION)) {
session_start();
}
This code should be working, so mistake is probably somwhere else I suggest checking if you set $_session["user] after login.
You should also replace your not-working code part with simple
echo "hello";
to chek it.
1) That is not a great method of checking whether a user is logged in, purely checking whether a user sessions exists can end up causing a lot of problems. Storing the ID in the sessions and then checking whether the ID is valid may be a better way,
2) When I copy the code above into a test document it goes straight to the redirect page in the else statement. This is down to the user session not being set, as soon as I set the user session before the code is executed it works fine. I see 'HTML/PHP Page goes here.'.
Setting the user session:
$_SESSION['user'] = 'TestUser';
You can change the code at the top of the page to be
<?php
session_start();
if(!isset($_SESSION['user'])) {
header("Location: cms/admin/loginreadmode.php");
die();
}
?>
I have a couple of questions about PHP session based logins. I have used the following tutorial to create a login form that connects to an existing user database that I have:
http://www.sourcecodester.com/tutorials/php/4341/how-create-login-page-phpmysql.html
I understand most of it, but I'd just like to query a couple of things that I do not understand:
//Login Successful
session_regenerate_id();
$member = mysql_fetch_assoc($result);
$_SESSION['SESS_MEMBER_ID'] = $member['mem_id'];
$_SESSION['SESS_FIRST_NAME'] = $member['username'];
$_SESSION['SESS_LAST_NAME'] = $member['password'];
session_write_close();
header("location: home.php");
exit();
The following code goes in the login_exec.php page - I think that this code is setting the session ID upon a successful login - am I correct?
What I do not understand is the reason for "SESS_MEMBER_ID", "SESS_FIRST_NAME" and "SESS_LAST_NAME" - why is that there and what is it doing precisely?
My second question. In "home.php" - when a user clicks "logout", they are directed back to index.php and somehow the session is being destroyed. How, exactly, is the session getting destroyed when clicking "logout".
Thirdly, is it possible to change "home.php" so that there is an if/else statement in place that says something like "if logged_in echo "yay, you are logged in" with a variety of logged in content, "else if not_logged_in echo "sorry, you are not logged in and cannot view this page, please go to the following page to log in". If it is possible, how would I do that?
Many Thanks
//Login Successful
session_regenerate_id();
$member = mysql_fetch_assoc($result);
$_SESSION['SESS_MEMBER_ID'] = $member['mem_id'];
$_SESSION['SESS_FIRST_NAME'] = $member['username'];
$_SESSION['SESS_LAST_NAME'] = $member['password'];
The following code goes in the login_exec.php page - I think that this
code is setting the session ID upon a successful login - am I correct?
Yes, it sets the session, and also saves some member information into the session itself before saving it. That way, the information will be available without further querying the database. More, if the information is not present, we know that the user is not authenticated.
You could also store the whole of $member
$_SESSION['member'] = $member;
but doing so saves the password also, and it's not good practice to have the password coming along hidden in the session in all subsequent pages. You can do this, though:
unset($member['password']); // $member is a copy of the database row, untouched.
$_SESSION['member'] = $member;
My second question. In "home.php" - when a user clicks "logout", they
are directed back to index.php and somehow the session is being
destroyed. How, exactly, is the session getting destroyed when
clicking "logout".
Usually this is done with a redirect and a session_destroy.
Thirdly, is it possible to change "home.php" so that there is an
if/else statement in place that says something like "if logged_in echo
"yay, you are logged in" with a variety of logged in content
Yes, using the above $_SESSION:
<?php
if (!empty($_SESSION['SESS_MEMBER_ID']))
{
?>
Welcome, <?php print $_SESSION['SESS_FIRST_NAME']; ?>!
<?php
} else {
?>
Sorry, you need to LOGIN!
<?php
}
?>
Yes: session_regenerate_id(); is setting your session ID.
The other session variables are set (SESS_MEMBER_ID etc) so you do not have to make a query all the time for the data. So these variables (ID, first name and last name) are stored in the session. So you can simply do <? echo "Welcome ".$_SESSION['SESS_FIRST_NAME']; ?> for "Welcome Zach"... plus you can do further checks to ensure the session data matches the database record for that member to ensure it hasn't been spoofed.
Thirdly, you could do
if(!empty($_SESSION['SESS_MEMBER_ID'])){ echo "Yay ".$_SESSION['SESS_FIRST_NAME'].", you are logged in"; }else{ echo "XX"; }