I was wondering that why my session always losing unexpectedly. My website almost depends on session, if session lose, it will redirect to login page.
Here is my code*
<?php
session_start();
if(!isset($_SESSION['login'])){
session_destroy();
header("Location:login.php");
exit();
}
include_once("action.php");
?>
How to fix it?? Thank in advance
I am assuming you lose your session when navigating between pages.
You need to include session_start(); on every single page that the user navigates to in order to continue their session.
Related
This is my PHP code to end the session but when I click on the back button it still go back into my previous page.
<?php
session_start();
if(session_destroy()) // Destroying All Sessions
{
header("Location: login.php"); // Redirecting To Home Page
}
?>
Really you should not be able to view a page if you are not logged in. Just do this on the top of every page.
<?php
session_start();
//check some value that lets you know if a user is logged in.
if(empty($_SESSION['user_id'])){
header("Location: login.php")
}
the redirect will happen even if your site is cached.
take a look here: http://php.net/manual/en/function.session-destroy.php
This just deletes all data within session but not the session itself, You have also to delete the session id and the session cookie (setcookie())
There are two login pages and if one page is logged out other also automatically getting logged out how to change that?
adminlogout.php
<?php
session_start();
unset($_SESSION['ADMIN_UNAME']);
session_destroy();
header("location: adminlogin.php?logout=true");
?>
logout.php
<?php
session_start();
unset($_SESSION['SESS_MEMBER_ID']);
session_destroy();
header("location: login.php");
?>
Please remove session_destroy() function. session_destroy() delete complete session information for request with sessionid from the server. Hence both scripts logouts.
adminlogout.php
<?php
session_start();
unset($_SESSION['ADMIN_UNAME']);
header("location: adminlogin.php?logout=true");
?>
logout.php
<?php
session_start();
unset($_SESSION['SESS_MEMBER_ID']);
header("location: login.php");
?>
When you use session_destroy(); you completely remove everything the server knows about your current session. Note a session survives while the current browser instance is open, if you destroy the session you destroy all the session globals.
If you want to logout of just the admin or a normal user you should just change a session variable to reflect that.
As the others already pointed out, the problem is the call of session_destroy() as this destroy the whole session.
But I'd like to add that you should maybe consider using a multidimensional array in your session for different purposes or, what is even better, use different sessions as they are in completely different areas (e.g. the admin session should definitely not be shared with a normal user session, using HTTPS cookies, etc.).
unset the session variable or make the session variable as empty in logout.php
adminlogout.php
<?php
session_start();
$_SESSION['ADMIN_UNAME']='';
header("location: adminlogin.php?logout=true");
?>
logout.php
<?php
session_start();
$_SESSION['SESS_MEMBER_ID']='';
header("Location:login.php");
?>
I'm running two different php applications/sessions at the same time (on the same page), which I need to close/kill upon user logout and then redirect a user to a login page. Would this be the right way of doing it? Thanks.
<?php
session_name('loginsystem');
session_name('chatsystem');
session_start();
$_SESSION = array();
session_unset();
session_destroy();
header("Location:http://localhost:8888/vtracker2/index.php");
exit();
?>
you are nearly done, just do this
<?php
session_start();
session_destroy();
header("Location:http://localhost:8888/vtracker2/index.php");
exit();
?>
session_destroy() function unset all the session which are active.
I've got a login page then I made a link to a page called logout and it contains this code:
logout.php
<?php
session_unset();
session_destroy();
header("Location:");
?>
Yet when I log out then hit the back button it takes me back. How do I change it so that it ask you to login again before showing you your previous page?
On the page you're going back to (or any page for that matter) you need to do checks to see if the user is logged in or not (i.e. has a valid session) and if not, redirect them to the login page.
Additionally, it might help for you to add some no-caching headers to this particular piece of code.
You have not set any location to redirect to.
Should be:
header("Location:http://example.com/login.php");
This way when you logout, it will redirect the browser to login.php.
EDIT:
Also, it would help to add a session validation condition to your main page.
Somenthing like:
if(!isset($_SESSION))
{
header("Location:http://example.com/login.php");
}
Before loading every page (or atleast, every PRIVATE/RESERVED page) you should check the $_SESSION variable to determine if the user is legally logged in or not.
If you don't perform this check, everybody would be able to visit every page of your website if they have the direct link to it. They may see a broken version of the page, but the access is granted nevertheless to not logged users.
<?php
session_start();
session_unset();
session_destroy();
session_write_close();
setcookie(session_name(),'',0,'/');
session_regenerate_id(true);
?>
source: Manual
try this to check on each page if the user is logged in
if (!$_SESSION['logged_in']) { //you would have to make $_SESSION['logged_in'] when they login
header('location: login.php');
}
all this does is say if $_SESSION['logged_in'] is NOT set redirect them to the login page.
You would also need to other checks to make it secure.
I am writing a script which is supposed to end a session for a user, and log them out of the system, thus returning them to the login page.
My logout script looks like this:
<?php
$_SESSION['signin'] = null;
session_destroy();
header("Location: /test/index.php");
?>
Initially I reset the signin variable that way even if the session isn't destroyed the variable should have at least changed so that the system believes the user is logged out.
And at the top of my login page I have a condition to forward them to the home page if they are already logged in, that way that can't visit the log in page once already logged in. This portion looks like this:
<?php
session_start();
if($_SESSION['signin'] == 5)
{
header("Location: /test/home.php");
}
?>
So in short, when someone is logged in, and clicks the link to logout it utilizes the first code block to log out, and then is forwarded to the page containing the second blcok of code.
However, this page still forwards me back to the home page, believing the user is still signed in and thus I'm guessing the signin variable was not reset.
Thoughts on how to solve my issue?
session_destroy() does not unset any of the global variables within the session. Simply using:
session_unset();
to unset all global variables, or to only unset the specified variable, use:
unset($_SESSION['signin']);
You can try something like this.
session_unset()
you don't have to use
$_SESSION['signin'] = null;
using session_destroy(); should be enough
and I don't exactly know the deep stuff of PHP, but if you set a $_SESSION variable to NULL, PHP could read it as it is set to NULL which means 'it is set'? (don't know for sure though)
In this case, if you want to destroy a variable, you could do this:
Have a page named logout.php and whenever the user needs to logout, redirect him/her to that page. Now, inside that page you'll put the following, and here I'll explain you what this does:
<?php
session_start(); //Initializes the session
unset($_SESSION['thenameofyoursession']); //This unsets a specific session, so the user is logged out, in this case it would unset "thenameofyoursession".
$URL="/test/home.php"; //This is the redirect URL
header ("Location: $URL"); //This basically will send the user back to the redirect URL using header.
die(); //terminates the PHP script from running
?>
With that you should be fine.
Your procedure is fairly obvious and similar to one that we use, however, it would be best to unset() the entire session if nothing in it is valid. -- If they aren't logged in, no session variables should exist.
My logout.php script includes this:
session_start();
session_register("loginMessage");
session_unregister("authenticatedUser");
session_destroy();
// relocate back to login page
header("Location: /");
Which works. session_unset() is historically redundant.
Hope this helps.