I have an index.php which contains my login form and using a session to login. How do I destroy the session everytime a user access the index.php for security?
All you have to do is this:
session_unset();
or:
session_destroy();
depending on your requirement.
References:
http://php.net/manual/en/function.session-destroy.php
http://php.net/manual/en/function.session-unset.php
try this:
<?php unset($_SESSION['whatever']); ?>
Will remove the session.
// Completely remove session and associated data:
<?php
// open the session.
session_start();
// Unset all of the session variables.
$_SESSION = array();
// delete the session cookie.
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_unset();
// Finally, destroy the session.
session_destroy();
?>
Related
I am new to PHP world. Currently, it's version is 5.
I'm trying to prepare a logout script.
I tried-
session_start();
unset($_SESSION["abc"]);
session_destroy();
But still the session vars are alive. I also tried from php.net
session_start();
$_SESSION = array();
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_destroy();
Unfortunately, it's not working too.
Any help?
NOTE I already tried that and I mentioned that code in my question. So
it's not a duplicate question.
I have 2 user level, one is for the admin_tbl and the other is for cashier_tbl they have the same database. My problem is whether I log out either cashier or admin the other one is also log out when I refresh the page. I dont know what the problem is, I used different table so but it log out both of them at the same time? kindly help me with this problem, give me some ideas of whats wrong. Thanks!
UPDATE: Thats my logout code for both cashier_tbl and admin_tbl
This is my code for cashier_tbl
<?php
session_start();
$_SESSION = array();
if (ini_get("session.use_cookies")){
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_destroy();
header("Location: index.php");
?>
And this is for my admin_tbl
<?php
session_start();
$_SESSION = array();
if (ini_get("session.use_cookies")){
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_destroy();
header("Location: index.php");
?>
Your problem on this line :
if (isset($_SESSION['user_id']))
{
header("Location: user_maintenance.php");
}
it's redirect you to user_maintenance.php even if $_SESSION is empty. And on :
if (isset($_SESSION['user_id']))
{
header("Location: order.php");
}
is same to.
These is the others correct way.
I assumed you never set session_unset() or session_destroy() in your logout method.
Delete session_unset() and session_start(); in the first line of your code above, it's not neccessary.
After check the user login method like your code above, in your file order.php and user_maintenance.php, start the session. it would something like this :
<?php
session_start();
// check if the user was login or not
if($_SESSION['login'] == false){
header('Location: user-is-not-login.php');
}
?>
// this area can be access if session is true.
create logout method in location that session was set. something like this :
<?php
session_start();
session_destroy();
session_unset();
header('Location: login.php');
?>
You need to destroy the session before set a new session.
hope these help.
Here the go where user is log in. I cannot seem to be able to logout when I log in with 'remember me' not active...
while($user = $stmt->fetch(PDO::FETCH_ASSOC)) {
$passwordDB = $user['mypassword'];
$email = $user['email_address'];
$userid = $user['user_id'];
}
if ($remember_me == "true"){ // Create a Cookie if remember_me is active
$expire = time()+60*60*24; // Valid for only 1 day
setcookie("cookie_username", $username, $expire, "/");
setcookie("cookie_email", $email, $expire, "/");
setcookie("cookie_userid", $userid, $expire, "/");
} else if ($remember_me == "false") { // Only create a session if remember_me is not active
session_start(); // cannot logout if i put it here
$_SESSION['session_userid'] = $userid;
$_SESSION['session_username'] = $username;
$_SESSION['session_email'] = $email;
}
My php logout code
<?php
require_once 'mydatabase.php';
$_SESSION = array();
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 86400,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
?>
I can properly logout when my 'remember me' checked is on.
Issue solve: I accidentally erase my session_start() at the top of my logout and forgot to put it back in.
To kill off all the session variables you could try something akin to this
if( isset( $_SESSION ) ){
$vars=array(
'session_userid',
'session_username',
'session_email'
);
foreach( $vars as $var ){
#unset( $_SESSION[ $var ] );
}
#session_unset();
#session_destroy();
#session_start();
#session_regenerate_id( true );
}
Without knowing how you check if user is logged in, id assume that you need to session_start(); in your logout code as well
Use the developer tools to see which data the browser is currently holding.
I would use session_start and session_destroy() like this:
<?php
session_start();
session_destroy();
require_once 'mydatabase.php';
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 86400,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
<?php
session_start();
if (!isset($_SESSION['korisnik'])) {
header("Location: index.php");
} else if(isset($_SESSION['korisnik'])!="") {
header("Location: home.php");
}
if (isset($_GET['Odjava'])) {
unset($_SESSION['korisnik']);
session_unset();
session_destroy();
header("Location: index.php");
exit();
}
?>
Everytime I press logout, home.php is just refreshed and session is not over.
<?php
if (isset($_GET['Odjava'])) {
unset($_SESSION['korisnik']);
session_unset();
session_destroy();
header("Location: index.php");
exit();
}
session_start();
if (!isset($_SESSION['korisnik'])) {
header("Location: index.php");
} else if(isset($_SESSION['korisnik'])!="") {
header("Location: home.php");
}
?>
Try this as you need to check it is set first otherwise your script will redirect as your if statement is above the session destroy
to me this does the trick:
setcookie(session_name(), session_id(), 1);
$_SESSION = [];
i.e first make the session expire
(after the first second in the year 1970),
then clear the $_SESSION variable.
Your first if block is run first and the session is still set at that time. Reverse the order of your if blocks and you may get a better result.
Better to use the PHP documentation approach:
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
?>
In order to delete also the session cookies.
I have a script which is meant to finish the current session and start a new one. There is a segment of code I use and it works fine on my development computer. However, when I posted it to the production server, the session id is constantly remaining the same.
The following is my code for restarting the session:
session_start();
$_SESSION = array();
$_POST = array();
$_GET = array();
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(),
'',
time() - 42000,
$params["path"],
$params["domain"],
$params["secure"],
$params["httponly"]
);
}
session_destroy();
session_write_close();
session_start();
session_regenerate_id(true);
On the last line, a new session id is not generated.
Why would this be different between two servers running PHP? And what can I do to correct it?
After some experimenting I solved the problem.
The session_regenerate_id(true) line does not regenerate a new session id if any text has been written into the response. I already had a series of echo statements issuing text for debugging purposes and after I removed them new session ids were created.
session_regenerate_id() updates the current session id with a newly generated one. It does not change session variables.
echo session_id();
session_regenerate_id();
echo session_id();
You should unset session to do that:
unset($_SESSION); // or
$_SESSION = array();
How to start a new session:
session_start();
session_destroy();
session_regenerate_id();
unset($_SESSION);
session_start();