I have created a login/logout system in my application but it's not working even using session_start();, session_destroy(); and session_unset (); etc.
Here is what I have done so far:
the first page (login)
<?php
if(
!isset($_SERVER['PHP_AUTH_USER'])||
!isset($_SERVER['PHP_AUTH_PW'])||
($_SERVER['PHP_AUTH_USER'])!="admin"||
($_SERVER['PHP_AUTH_PW']!="admin")
)
{
header('WWW-Authenticate: Basic realm="Accès refusé"');
echo 'Accès refusé';
exit;
}
else
session_start ();
$_SESSION['PHP_AUTH_USER'] = "admin";
$_SESSION['PHP_AUTH_PW'] = "admin";
echo '
and this is the logout part
<?php
session_start();
session_unset ();
session_destroy();
header("Location: index.php");
die;
?>
The problem is that the session is not destroyed, even when clicking the logout button.
You are using http authentication
Cookies and Sessions does not have any influence on http authentication
"No correct way exists" to logout.
Create another login/logout system, it's not hard.
Related
I have designed a website and there is a logout option in sub menu.The code is in HTML and is here:-
<p>logout</p>
Now this successfully brings me back to the adminlogin.php page but after that whenever I press the back button present at the top of web browser I go to that page again where I was before pressing logout button. But this should not happen if I have pressed the logout button then there should be no way to go back to that page unless I login again
To avoid browser back button after logout:
You Have To Add the top of each page, to check if the user is logged
in. If not, they should be redirected to a login page:
Example:
<?php
if(!isset($_SESSION['username']) && !isset($_SESSION['useremail'])){
header("Location: login.php"); // redirect to login page or index page if email and username is not set in session
}
?>
Now on Logout page, Simply unset the username and useremail
session variable, and destroy the session or ( Cookies). what you set.
Example:
<?php
if(isset($_GET['logout'])) {
session_start();
session_destroy();
unset($_SESSION["username"]);
unset($_SESSION["useremail"]);
header('Location: index.php');
exit;
}
?>
Working CODE For All Pages After User Login: Home.php about.php contact.php etc..
Example:
<?php
// After User Login and come to home page.
require 'database_conn.php'; // Connection
session_start(); // Session start
?>
<?php
// If User is Not Login Then Redirect to `index` Page Automatically
//if(!isset($_SESSION['username']) && !isset($_SESSION['useremail']))
if(!isset($_SESSION['useremail'])){
header("Location: index.php");
// Redirect to index page if email is not set in session
}
?>
Working CODE For to Logout User: Logout.php
Example:
<?php
// After User Click On Logout page.
require 'database_conn.php'; // Connection
session_start(); // Session start
?>
<?php
if(isset($_POST['logout'])) {
if(isset($_SESSION['useremail'])){
unset($_SESSION["useremail"]);
session_destroy();
session_unset();
header('Location: index.php');
}
}
?>
Simple Logout Button
Logout
logout.php
<?php
if(isset($_GET['logout'])) {
session_start();
session_destroy();
header('Location: login.php');
exit;
}
?>
Or If Cookie Set Then
<?php
if(isset($_GET['logout'])) {
unset($_COOKIE['access_token']);
header('Location: login.php');
exit;
}
?>
You need session to do this.
So basically when you logged in you need to set session variable like
$_SESSION['loged_in']=1; // set session with desired name
And on logging out you need to destroy this session value
unset($_SESSION["loged_in"]); // unset specific session
or
session_destroy(); // destroy al
And most important part you need to check for this session value on each page where you don't want user to go with out log in. like
if(isset($_SESSION['loged_in']) && !empty($_SESSION['loged_in'])) {
redirect('login.php'); // redirect to log in page
}
So far, I have only the login.html files which has login form, redirects user once logged on and logout function. What I want to do is once a user logs in, they redirect to but their username is displayed on the top of the page. And with the file... I just want it to be able to logout the user. So far on my website, I can login as far as I am concerned, and it redirects once user logs in, but I can login as many times as I want, and I can logout as many times as I want.... It's complicated to sort out and I want to do this without SQL or any other server-side storage (since I am only using HTML local storage).
You have to remove the session of username in logout code
unset($_SESSION['username']);
Hope this helps..If not,It would be better if you could provide the code, so that the problem can be sorted out
WRITE THIS ALL IN TOP PAGE
IN YOUR LOGIN PAGE
<?php
session_start();
if (isset($_POST["submit"])) {
$username = $_POST["username"];
$_SESSION["username"] = $username;
header('Refresh: 5; URL=GameWebsite.php')
}
?>
IN YOUR LOGOUT PAGE
if(isset($_SESSION['username']))
{
session_start();
session_unset();
session_destroy();
//Then you may redirect to the login page if you want after sometime.
echo " You have successfully logged out... You will be redirected back to the login page in a moment. ";
header('Refresh: 5; URL=login.php');
}
else
{
header("Location:login.php"); // HERE WHEN USER NO HAVE SESSION
}
IN ANOTHER PAGES YOU CHECK
if(isset($_SESSION['username']))
{
}else
{
header("Location:login.php"); // HERE WHEN USER NO HAVE SESSION
}
in your login page write on top
if(isset($_SESSION['username']))
{
header('Refresh: 5; URL=GameWebsite.html')
}
In your logout.php write
if(isset($_SESSION['username']))
{
session_start();
session_unset();
session_destroy();
//Then you may redirect to the login page if you want after sometime.
echo " You have successfully logged out... You will be redirected back to the login page in a moment. ";
header('Refresh: 5; URL=Login.html');
}
else
{
header("Location: login.php");
}
I'm pretty noob in PHP but I'm trying to exercise. Since yesterday I'm on a problem I can't even understand, I thought my code was correct but it seems wrong
So here is my function to allow pages for logged users only
functions.php
function logged_only()
{
if(session_status() == PHP_SESSION_NONE)
{
session_start();
}
if(!isset($_SESSION['auth']))
{
$_SESSION['flash']['danger'] = "You can't enter this page - not logged in";
header('Location: login/login.php');
exit();
}
}
So It's supposed to redirect me to login page if I'm not logged-in, simple
login.php
elseif(password_verify($_POST['password'], $user->password)){
$_SESSION['auth'] = $user;
$_SESSION['flash']['success'] = 'You're now connected';
header('Location: ../profile.php'); // user's homepage
exit();
There is some code above and under this, but it works pretty good.
So in this case the script should insert user's informations into his $_SESSION but it does nothing but redirect me at login.php. Also, the "profile.php" only contains "logged_only();" and a print_r (when I delete the redirection to login.php) of the $_SESSION, which shows nothing but "You can't access this page" (as I'm sending a message via $_SESSION)
Someone to guide me ? Thanks
You maybe should read about the session_start() in PHP: PHP Manual
In short words: session_start() starts a new session or recovers the already existing session with the client.
So after each redirect (also to your login.php) you need to call session_start().
There is no need for
if (session_status() == PHP_SESSION_NONE){
session_start();
}
You should only use
session_start();
(In both, your functions.php and your login.php) before accessing the $_SESSION variable.
functions.php
function logged_only(){
session_start();
if(!isset($_SESSION['auth'])){
$_SESSION['flash']['danger'] = "You can't enter this page - not logged in";
header('Location: login/login.php');
exit();
}
}
login.php
session_start();
// ... Rest of code
elseif(password_verify($_POST['password'], $user->password)){
$_SESSION['auth'] = $user;
$_SESSION['flash']['success'] = 'You're now connected';
header('Location: ../profile.php'); // user's homepage
exit();
I have been developing the following php script (+ sqlite database) to create a login for my web.
Up to now I had used just one PHP file, but now I want to use different files for login and protected contents, I mean, I used to have all my web in one file php (contents and password script were together) but now I want to detach it in different php files (one for the login, login.php, and other phps protected: index.php, calendar.php...)
I used this code to password-protect php content:
<?php require_once "Login.php"; ?>
but it doesn't seem to work: it displays the form to login next to the content I wanted to protect.
This is the php script I'm using as login.php:
<?php
$db = new PDO('sqlite:data.db');
session_start();
if (isset($_GET['logout'])) {
unset($_SESSION['pass']);
header('location: index.php');
exit();
}
if (isset($_SESSION['timeout'])) {
if ($_SESSION['timeout'] + 4 < time()) {
session_destroy();
}
}
if (!empty($_POST['pass'])) {
$result = $db->query("SELECT user,password FROM users");
foreach ($result as $row) {
if (password_verify($_POST['pass'], $row['password'])) {
echo "Welcome! You're logged in " . $row['user'] . "! <a href='index.php?logout=true'>logout</a>";
$_SESSION['pass'] = $_POST['pass'];
$_SESSION['timeout'] = time();
}
}
}
if (empty($_SESSION['pass'])) {
echo '<form method="POST" action=""><input type="password" name="pass"><form>';
}
?>
MY QUESTION IS: How can I use my php script to protect different files?Is there any way to embed a logout link too?
One way is to store a token in session variables when a user logs in. Confirm the token is there on each page, if it isn't redirect the user to the login page. For example assert_login.php:
<?php
session_start();
if('' == $_SESSION['token']) {
header("Location: login.php");
exit();
}
?>
Then, in the PHP at the top of each of your pages:
<?php
require('assert_login.php');
?>
You can also clear the session variable on logout, logout.php for example:
<?php
require('assert_login.php'); // has session_start() already
$_SESSION['token'] = ''; // empty the token
unset($_SESSION['token']); // belt and suspenders
header("Location: login.php");
exit();
?>
I was also going through same issue & the way I solved it:
PSEUDO CODE:
PHP SESSION START
if(isset(GET(logout){
SetLogout();
die()}
$redirect=false
if not session[auth] exists
if SERVER REQUEST METHOD IS POST
$redirect=true;
if POST(username) && POST(pass) exists
Sanitize both of them & assign to $user& $pass
if user == "John" && $pass == "secret"
Go To SetLogin();
else{
Go To SetLogout();
echo "Wrong Username or Password"
drawlogin();
die();}
} //user pass comparing ends
} //Server method is NOT POST, so maybe it is GET.
//Do nothing, let the control pass to next lines.
}//SESSION(auth) does not exists, so ask user to login
else {
drawlogin();
}
//Post-Redirect-Get
if ($redirect)
redirect header to this same page, with 301
die()
// Secret Content here.
function SetLogin($user){
$SESSION(auth) = TRUE;}
function SetLogout($user){
if SESSION(auth) exists
unset($SESSION(auth))
redirect back with 301, without query string //shake ?logout
}
function drawlogin(){
echo all the HTML for Login Form
What it does is, it checks various things/variables, and if all passes, the control passes to Secret Content.
Save it as pw.php, & include it on top of any file you want to protect. Logout can be triggered by Logout
Note that this is just a pseudo code, typed on a tablet. I will try to update it with actual version. It is not checked for errors. Use all standard PHP Security precautions..
I have a logout file for my web application. I would like to create a session after the logout so that I can echo a logout success message. My logout code works but I am unable to create a new session after destroying the previous one.
What is the best way to do this, see code:
//LOGOUT.PHP
session_start();
//// unset all $_SESSION variables
session_regenerate_id();
session_unset();
session_destroy();
$_SESSION['logoutsuccess'] = 'You have successfully logged out.';
header("Location: /login/");
exit;
//LOGIN.PHP (ECHO SUCCESS MESSAGE)
if(isset($_SESSION['logoutsuccess']))
{
echo '<div class="success">'.$_SESSION['logoutsuccess'].'</div>';
unset($_SESSION['logoutsuccess']);
}
I would like to avoid passing variables in the url if possible.
Call session_start() again after session_destroy()?
Just start a new session:
session_start();
session_destroy();
session_start();
$_SESSION['food'] = 'pizza';
Instead of trying to store it as a session variable, you could check the referer and check for /logout/
if(strpos($_SERVER['HTTP_REFERER'], 'logout') !== false) {
echo 'You have successfully logged out.';
}
session_id($session_id_to_destroy);
session_start();
session_destroy();
session_commit();