I want to create a logout / sign out link from a 'members only' area of my website. So I created a logout.php script for this that the sign out link will navigate to and then I used header to redirect to index.php. My question is how do you prevent an user from navigating to the logout.php script by simply typing in the URL?
How do you prevent this for any instance for that matter?
For clarification:
I want users to logout using the sign out link ONLY i.e. by clicking on it; not by typing in the URL address of the logout script.
logout.php is as follows:
<?php
session_start();
if (isset($_SESSION['user'])){
unset($_SESSION);
session_destroy();
header ('location: index.php');
}
?>
You can stop that by making the logout.php a POST page rather than normal GET. One way of doing this is changing your Log Out link to actually be submitting a form, rather than just a normal link. Then on the logout page, check the form was really submitted before logging out. That will mean anyone just typing in the URL won't be logged out, while users clicking the link will be.
An example of this would be to make your HTML like
<form action="logout.php" method="post" name="logoutform">
<input type="hidden" name="logout" value="y">
Log Out
</form>
You'd probably want extra CSS to remove the form styling too.
The code in logout.php can be:
<?php
if ($_POST["logout"] == "y") {
/* Getting here means they clicked the link, so log them out */
}
?>
You can't stop them from typing logout.php in the browser, but this will ensure they will only actually log out when they submit the form (i.e. click the log out link). Just typing in the URL will get a blank page.
I want users to logout using the sign out link ONLY; not by typing in the url address of the logout script.
It is not really possible to avoid a visitor from changing the address bar URL in their browser. There's no real way to determine how the user accessed logout.php -- by typing in the URL directly or from a page on your website.
I think you're approaching the issue from the wrong perspective, but if you really want to do this, I'd suggest using a session variable.
This is a basic logout in PHP.
<form action="index.php" method="post">
<li>
<i class="fa fa-fw fa-power-off"></i><input type="submit" name="cerrar" value='Cerrar sesión' style="outline:none;padding: 0; border: none; background: none;">
<?php
if (isset($_POST['cerrar'])) {
session_start();
session_unset();
session_destroy();
header("location: index.php");
exit();
}
?>
</li>
</form>
Related
Coz of this virus in China, bosslady asked us to try to do classes online. I want the students to login, so I know who is present.
Login works. It checks user name and password. If correct, I'm in. Logout seems weird!
I have this below for logout.inc.html.php:
<form action="" method="post">
<div>
<input type="hidden" name="action" value="logout">
<input type="hidden" name="goto" value="/">
<input type="submit" value="Log out">
</div>
</form>
Shows a nice Log out button when I put this on any page:
<?php include $_SERVER['DOCUMENT_ROOT'] . '/includes/logout.inc.html.php';?>
The form above does take me back to the root page when I click the button, so that bit is working. But if I click say, the button for class 19BE1 again, where I should be logged out, I am not asked to login again. It just opens. Maybe some cookie thing??
This is part of /includes/access19BE1.inc.php I got this from my textbook PHP & MySQL: Novice to Ninja
if (isset($_POST['action']) and $_POST['action'] == 'logout')
{
session_start();
unset($_SESSION['loggedIn']);
unset($_SESSION['name']);
unset($_SESSION['password']);
header('Location: ' . $_POST['goto']);
exit();
}
It is supposed to unset everything! Will I be timed out eventually?
I got this from stackoverflow, still not logged out!
if (isset($_POST['action']) and $_POST['action'] == 'logout')
{
//session_start();
//unset($_SESSION['loggedIn']);
//unset($_SESSION['name']);
//unset($_SESSION['password']);
session_unset(); // unset $_SESSION variable for the run-time
session_destroy(); // destroy session data in storage
header('Location: ' . $_POST['goto']);
exit();
}
Any tips please for this virus-avoider??
EDIT: I opened a private window in Firefox. I opened localhost. I get my webpage. I click the button for class 19BE1. I immediately get the login page. I enter a wrong name and number, which brings me back to the login page with the error message. I enter a correct name and password, I get the page I want. So I think login is working.
Maybe, Firefox is saving something??
If you tired the stackoverflow answer with session_start() line commented out, the session_destroy() would not work.
You can try the bellow simple code which you can modify to your requirement
<?php
session_start();
session_destroy();
header('location: index.php');
?>
I have the following code on a web page that is entered by a number of unique URLs.
This web page cannot use history.back or other javascript as it is impossible to account for the amount of clicks on this page.
I came up with this solution below to try to get & save the original referer page URL for later use. Basically upon page entry if the SESSION Variable whodat1 is empty it should populate. The only problem is that session is overwritten each time a page refresh occurs.
How do I make this session permanent or not overwritten when the page refreshes?
<!-- back to map button-->
<?php
if(isset($_SERVER['HTTP_REFERER'])) {
if(empty($_SESSION["whodat1"]))
$_SESSION["whodat1"] = $_SERVER['HTTP_REFERER'];
//echo $_SESSION["whodat1"];
?>
<input type="button" value="Back To Maps" id="show" onClick="window.location.href='<?= $_SESSION["whodat1"] ?>'" style="height:30px; background-color:#006; color:white;">
<?php }?>
Refreshing won't make session disappear or expire. Make sure you have
session_start()
This is my admin panel code:
<form action="connectdb.php" method="post">
<input type="text" name="name">
<input type="submit">
</form>
So, It so, the code in connectdb.php will only run, if the "submit" button redirects a user to it. It will not run, if a user directly open /connectdb.php page.
Do I need to start some session, something like that?
Note: I am a newbie, so please explain in detail.
Since your form is using method="post"you can place the following code at the very beginning of your connectdb.php file:
<?php
if (empty($_POST)){
exit;
}
//The rest of your code goes here
This checks to see if the $_POST variable either does not exist or does exist but is empty. If this returns true that means your form was not submitted and a user went to the page directly. The script will then exit and a blank screen will be displayed.
Instead of displaying a blank screen, you may instead want to redirect to a different page such as this:
<?php
if (empty($_POST)){
header("Location: index.html");
exit;
}
//The rest of your code goes here
Whenever you do a redirect like this, it is important to place an exit; statement directly after it, otherwise your script could still process some of the other statements and send data to the browser that shouldn't be sent. This of course could be a security risk in some cases. An exit statement prevents this kind of security risk.
Not sure if you really need it, but you can add a name attribute like the following:
<input name="submit_button" type="submit">
So when you click this button a $_POST['submit_button'] variable will be created on the PHP side, and then you can use it to check if the button was clicked:
if(isset($_POST['submit_button'])){
// your code
}
<input type="submit" name="submit_btn">
Now in your connectdb.php check,
<?php
if(isset($_POST['submit_btn']))
{
//do your code
}
else
{
//redirect to your home page
}
?>
I need to create a button to log out in Joomla, I mean, the user usually enter the session but then must press the button I created to close this session, I know how to check if any user has entered the session and I know how to display the button, what I don't know is how to make that button close the actual user session (log out).
This is the base code I have:
<?php $user =& JFactory::getUser(); ?>
<?php if ( ($user->id)==0 ) : ?>
//***code for not opened session***
<?php else : ?>
<form id="form1" name="form1" method="post" action="">
<input type="button" name="button" id="button" value="Close Session" />
</form>
<?php endif ?>
How to make that button to close the joomla 2.5 session, I checked the API page but i didn't find it.
To create a log out button, you could create a link with the class "button".
In Joomla > 1.7 (also 2.5.x) you need the JUtility::getToken() part to make the login successful: Use the optional "return" part for redirecting the user back to the page where the user was when clicking the button
<a class="button" href="<?php echo JRoute::_('index.php?option=com_users&task=user.logout&'. JUtility::getToken().'=1'); ?>">
Logout
</a>
If you want to redirect back to the page where the user was when he/she clicked the logout button, add a base64 encoded return parameter:
<a class="button" href="<?php echo JRoute::_('index.php?option=com_users&task=user.logout&'. JUtility::getToken().'=1&return='.base64_encode(JURI::current())); ?>">
Logout
</a>
the correct link is actually
JRoute::_('index.php?option=com_users&task=user.logout&'. JUtility::getToken() .'=1');
This also works for joomla 2.5. I swapped JURI::current() with $_SERVER['REQUEST_URI'] from #Beatniak code
<a class="button" href="<?php echo JRoute::_('index.php?option=com_users&task=user.logout&'. JUtility::getToken().'=1&return='.base64_encode($_SERVER['REQUEST_URI'])); ?>">
Logout
</a>
u may try also this for Joomla 2.5
<a href="index.php?option=com_users&task=user.logout&<?php echo JUtility::getToken(); ?>=1">
<input type="button" name="Submit" class="button" value="Logout">
</a>
works good for me
Use this link -
http://www.domain.com/index.php?index.php?option=com_user&task=user.logout&token=<?php echo JUtility::getToken(); ?>
Link to a php page
Sign Out
On the php page, simply end the session, then redirect to a new page.
<?php
session_destroy(); //session is now over
header( 'Location: http://www.yoursite.com/welcomepage.php' ) ; //relink to a page, with user logged out
?>
User is now logged out, and redirected to the welcome page
With Joomla 2.5 you need to make a new menu item titled Logout and choose the menu type to be the User Manager - Login Form.
By doing this if the user is logged in then this will take them to a page with a logout button instead of the login form.
Also if you set the access permissions to only display this logout menu item for registered users.
This was a very easy solution to do without any coding knkowledge.
Really there should be a menu item option for the user manager - logout.
I have two pages in a WordPress installation - one with a MailChimp signup form, and then a second page which shows a thank you message where the user is sent after completing the MailChimp signup form.
Right now, the thank you page is just a regular WordPress page. While there are no links to it in the navigation, it is possible to visit the page directly if you have the URL.
However, I need to make this page so that it cannot be accessed unless the signup form was submitted, and I also need to make sure that the page cannot be refreshed. How would I go about doing that?
Put this on top of your page.
The form action on the first page must be the 'thank you' page.
<from method="POST" action="page2.php">
Your form input.
<input type="submit" name="submit" />
</form>
Page 2:
if(!isset($_POST['submit'])){
echo('You hacker!');
}else{
// Rest of the page
?>
<html> etc.
thank you bla bla....
<?php
}
Use the referrer from the $_SERVER variable.
In your thank-you page, put something like this
if ($_SERVER['HTTP_REFERER'] == 'mailchimp_host') {
echo 'Thank - you ';
....
}
else {
echo "Not authorized to view this page";
}
Substituite mailchimp_host with the real hostname of the mailchimp server that is doing the subscription of the user. See you log files!