So, I have the following logout script (as taken from php.net):
<?php
session_start();
$_SESSION = array();
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_destroy();
header(...); //See Below
?>
The website has a header that echos either a login form (when not logged in) or "Welcome, User" (when logged in).
I have tried:
header("location:http://example.com");
in my logout script but the website header echos "Welcome, User" still until the page is refreshed. It is seemingly loading from cache(?).
One way I have gotten around this is changing the line to:
header("location:http://example.com?a=".uniqid());
As much as this works, it looks ugly in the address bar.
Is there a way to achieve the redirect without loading from cache or changing the address bar to remove the GET variable?
EDIT: OK, so this is strange... When I have the Chrome Dev Tools open to check the header response, it works fine. As soon as I close the Dev Tools, the problem comes back. Really need some help with this people!
Related
I've this logout.php page that I use to logout from my PHP project.
<?php
session_start();
$conn4=mysqli_connect("localhost", "root", "", "winkcage");
$useronline=$_SESSION["unamsession"];
$queryseen="UPDATE signup SET seen='' WHERE username='$useronline'";
$queryseenrun=mysqli_query($conn4, $queryseen);
session_destroy();
session_unset();
header('Location: login.php');
?>
[Both in Firefox and Chrome]: When I click logout button, the page is redirected to login.php, but when I load the home page again in different tab (which should open only when the session is not destroyed), it loads instead of redirecting to login.php (this would be my index page).
I don't know what's wrong with this code. Does writing session_destroy() before session_unset() make any difference? How do I fix it?
[Only with Chrome, in Firefox it's okay]: When I close the Firefox, the session is automatically destroyed, which is obvious, but it's not with Chrome. Chrome isn't destroying it. How's it possible? I've checked my code thoroughlly but I didn't find any code line related to cookie.
Another problem is that when I'm logged in for a few minutes (I guess 20-30), the session is automatically destroyed. Is it possible that I have written some code by mistake for this? Or is it default?
not sure if you are using cookie or not but i think this will solve it
....
$queryseenrun=mysqli_query($conn4, $queryseen);
session_unset();
$_SESSION = array();
// get session parameters
$params = session_get_cookie_params();
//delete the actual cppkie
setcookie(session_name(),'', time() - 42000, $params["path"], $params["domain"], $params["secure"], $params["httponly"]);
// Destroy session
session_destroy();
//redirect to the index.php
header("Location: login.php");
exit();
From http://php.net/manual/en/function.session-unset.php
Session unset simply clears the session for use but it is not destroyed, it is still on the user's computer.
Try the following:
session_start();
session_destroy();
$_SESSION = array();
header('Location: index.php');
I have a PHP script which returns a receipt to a customer purchasing on my website. When they get the receipt, I want to be able to start a new session. So far I have a piece of code at the end of the script which returns the receipt page. It is:
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(),
'',
time() - 42000,
$params["path"],
$params["domain"],
$params["secure"],
$params["httponly"]
);
}
session_destroy();
session_regenerate_id(true);
When I use the website and go through the purchasing process, after the receipt page is served, the session id remains the same.
Yet, I took the above code and placed it in a seperate script called 'regenerate.php'. I then called this in another script, like so:
<?php
include("regenerate.php");
session_start();
echo("<br>id:".session_id());
include("regenerate.php");
session_start();
echo("<br>id:".session_id());
include("regenerate.php");
session_start();
echo("<br>id:".session_id());
include("regenerate.php");
session_start();
echo("<br>id:".session_id());
?>
When I run this script, then session id changes each time the regenerate script is run. However, the same code does not work in the intended page I am trying to serve up before restarting the session.
Is there any reason it might work in one case and not the other? I thought it might be because text is already being written out to output, however it happens in both cases.
You can't generate a new session during the same request, after sending output to the browser.
Simply because the session cookie has already been sent - with the headers. So most likely your second call to session_start() gives an error.
You can find more about turning display_errors On here: How do I get PHP Errors to display?
i have this file
secure.php
session_start();
if(empty($_SESSION['u_name'])) {
header("Location:emprego.php");
}
if(isset($_GET['logout'])) {
session_destroy();
header("Location:emprego.php");
}
$name = $_SESSION['u_name'];
?>
<li><?php echo "<a href='emprego.php?logout' id='D'>Logout</a>";?></li>
basically, if i do logout, i will be redirected to emprego.php. But if i click in back page button (arrow in browser), i can view the same page (secure.php).
my question is, why?
thanks
http://nl2.php.net/manual/en/function.session-destroy.php
Take a look at example 1 here. It clearly states that you have to clear $_SESSION as well.
if(isset($_GET['logout'])) {
unset($_SESSION['u_name']); //makes it non-existent (it does unset) that variable
session_destroy();
header("Location:emprego.php");
}
Your browser keeps a copy of the page in cache. When you click the back button, you are seeing the local cached copy, not the current page from the server. If your security is set up properly, you will not be able to do anything meaningful from that cached page.
It is for this reason that secure websites (bank sites, for example) tell you to log off and clear your cache (or close the browser) after you log out.
If you're using session cookies, also try expiring the session cookie explicitly, like this:
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
Also, going back in the browser only loads a cached copy of the page. If you tried interacting with the cached page to fetch a new page from the server, you shouldn't be able to proceed.
I recently found header_remove(); http://php.net/manual/en/function.header-remove.php
Caution: This function will remove all headers set by PHP, including cookies, session and the X-Powered-By headers.
Not sure whether this is the appropriate way to do it, but it's pretty effective for log out functionality.
All the other solutions didn't seem to work for me. However, this workaround did the trick. Basically, the code below keeps calling the logout until the logout finally succeeds:
if (isset($_GET["logout"])){
if (isset($_SESSION["username"])) {
unset($_SESSION["username"]);
session_destroy();
header("Location:/?logout=true");
exit;
}
header("Location:/");
exit;
}
I'm trying to logout of my page but session_destroy and setting cookies does not work. Here's my code:
$page = $_GET["page"];
if ($page == "logout") {
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_destroy();
echo <<<html
<br /><br /><br /><p align="center"><b><font color="#000080">You've successfully logged out.</font></b></p>
<p align="right"><b><font size="3" color="#FF0000">Redirecting...</font></b></td>
html;
echo ("<META HTTP-EQUIV=Refresh CONTENT=\"4; URL=index.php\">");
exit ();
But its not working - the session is not destroyed and cookies remain the same. I've also tried just setting a cookie to a different value with no success. Other parts of the code create cookies, access and use them, but in the logout part I cant destroy them. Can someone tell me what's wrong here? Should cookies and sessions be set/unset/destroyed at the beginning of the page like session_start? Or is something else wrong?
setcookie() must be called before your scripts generates any output, as is affects the headers which are sent to the client before the actual response.
The code snippet you posted looks like you echo some stuff before the posted code is called (the output string does not contain an opening html tag). So make sure that your code is placed before any output is echoed, but after session_start() is called, then it should work.
You have to call session_start() before session_destroy() will work as session_destroy operates on the current session, which does not exist if you have not called session start.
Does the page have a session_start() before session_destroy()? It needs to be.
if we don't call
session_start()
at the beginning of the page, we cannot have session variables to operate on that page.
I'm trying to correctly log out of an admin user. Here is my function:
function logout()
{
$_SESSION = array(); //destroy all of the session variables
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_destroy();
}
Basically, once I authenticate the password, I set the session as being valid (only 1 user total). Now, when the admin hits logout, I want to destroy the current session, and also destroy the cookie, so that they can't just go back to the admin page using the stored session cookie in the browser. but my code doesn't work. i hit logout, and i can just directly navigate back to the admin page. however, if i delete my cookies, the functionality is perfect. so what's wrong with the cookie deleting function here?
If you really want to cover all bases try doing:
setcookie (session_id(), "", time() - 3600);
session_destroy();
session_write_close();
That should prevent further access to the session data for the rest of PHP execution. The browser may still show the cookie being set however the $_SESSION super will be blank
Maybe your problem is not the cookie, but the browser showing a cached version of your admin page. Could that be? If it disappears when you hit F5, it's probably that. This can be sorted by setting the right cache-control headers.
Check out this SO question on the issue of how to set caching. The question is about exactly the other way round (forcing browsers to cache) but you'll figure out what to change to turn caching off.
Just a tip for others who are having issues expiring session cookies:
PHP - why can't I get rid of this session id cookie?
Always use session_get_cookie_params() as in the answer to the question in the link above.