i am creating a website with login and logout and registration but an error appear every time i want to logout how to fix it i think the eroor is in the session this error make me crazy i did a lot of search about fixing the problem but i did not get any solution that help me.
logout.php
<?php
session_start();
session_destroy();
if(isset($_COOKIE['id_cookie'])){
setcookie("id_cookie", "", time()-50000,"/");
setcookie("pass_cookie", "", time()-50000,"/");
}
if(isset($_SESSION['username'])){
echo("we could not log out try again!");
exit();
}else{
header("Location: home.php");
}
?>
Not sure of your error, but reading about session_destroy would help you out.
My guess is the error is when checking if(isset($_SESSION['username'])){, as, according to the manual:
session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.
You never start the session again, so you can't use session variables.
Also, for further assistance with logging a user out, the following from the same page will help:
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
And while it's not in the scope of the question - it will help you make a successful logout script.
session_destroy(); destroys all the sessions, so im not following the point of your If statement to check for username session ??
Secondly you don't actually need brackets for echo:
echo("we could not log out try again!"); exit();
Can be written as:
echo "we could not log out try again!"; exit;
<?php
session_start();
session_destroy();
if(isset($_COOKIE['id_cookie'])){
setcookie("id_cookie", "", time()-50000,"/");
setcookie("pass_cookie", "", time()-50000,"/");
}
header("Location: home.php");
exit();
?>
Related
I'm trying to destroy the session without using session_destroy because I want to carry the information message. My question is if my code is valid, I already reset the session by saying all $_SESSION is an empty array or for security reason using the session_destroy is a must but if I use session_destoy I can't pass the $_SESSION['msg'] anymore.
<?
session_start();
$_SESSION = array();
//session_destoy();
$_SESSION['msg'] = "You have logged out.";
header('Location: index.php');
?>
You need session_unset()
session_unset just clears out the session for usage. The session is
still on the users computer. Note that by using session_unset, the
variable still exists. session_unset just remove all session
variables. it does not destroy the session....so the session would
still be active.
via: http://php.net/manual/en/function.session-unset.php
and then you can do it like
$_SESSION['msg'] = "You have logged out.";
so that the msg is added to session.
OR You can do it like this too:
$msg ="Whatever the message is";
header("Location: index.php?message=$msg ");
In index.php file
if(isset($_GET['message']) && !empty($_GET['message'])){
echo $_GET['message'];
}
1st you should use session_unset(); to remove all session variables/values rather than assigning a new array to it.
The main answer to your query:
I would recommend to use session_destroy() because it removes the internal session ID generated which would be validated at every request coming from a client device. To verify this, just print the session ID using the function echo session_id(); before and after emptying the session in the way you are doing. It would pring the same session ID.
So destroying it first and then creating new will be a good idea.
Once you destroy the session using session_destroy() you can start a new session again and set your message $_SESSION['msg'] in it.
Just user session_unset($_SESSION['session_name']); hope this will work.
You can use cookies; you would keep for example the username, the password and the connection status of the user. When the user comes back to your site, you know who he is and if he is already connected.
setcookie ("Msg", "you have logged out", time () + 3600);
(for a cookie of one hour, you put the time that you want ...)
Your code:
<?
session_start();
$_SESSION = array();
//session_destoy();
$_SESSION['msg'] = "You have logged out.";
header('Location: index.php');
?>
in the index page do below stuff:
<?php
if(!empty($_SESSION['msg']) && isset($_SESSION['msg'])){
echo $_SESSION['msg'];
unset($_SESSION['msg']);
}
?>
this will show your message once and unset it immediately.
There are two login pages and if one page is logged out other also automatically getting logged out how to change that?
adminlogout.php
<?php
session_start();
unset($_SESSION['ADMIN_UNAME']);
session_destroy();
header("location: adminlogin.php?logout=true");
?>
logout.php
<?php
session_start();
unset($_SESSION['SESS_MEMBER_ID']);
session_destroy();
header("location: login.php");
?>
Please remove session_destroy() function. session_destroy() delete complete session information for request with sessionid from the server. Hence both scripts logouts.
adminlogout.php
<?php
session_start();
unset($_SESSION['ADMIN_UNAME']);
header("location: adminlogin.php?logout=true");
?>
logout.php
<?php
session_start();
unset($_SESSION['SESS_MEMBER_ID']);
header("location: login.php");
?>
When you use session_destroy(); you completely remove everything the server knows about your current session. Note a session survives while the current browser instance is open, if you destroy the session you destroy all the session globals.
If you want to logout of just the admin or a normal user you should just change a session variable to reflect that.
As the others already pointed out, the problem is the call of session_destroy() as this destroy the whole session.
But I'd like to add that you should maybe consider using a multidimensional array in your session for different purposes or, what is even better, use different sessions as they are in completely different areas (e.g. the admin session should definitely not be shared with a normal user session, using HTTPS cookies, etc.).
unset the session variable or make the session variable as empty in logout.php
adminlogout.php
<?php
session_start();
$_SESSION['ADMIN_UNAME']='';
header("location: adminlogin.php?logout=true");
?>
logout.php
<?php
session_start();
$_SESSION['SESS_MEMBER_ID']='';
header("Location:login.php");
?>
I have a small website using a session to check for an user login.
When the user click logout the are being redirected to a page containing only session destroy.
The code is as followed:
<?php
session_start();
if(session_destroy()) {
$_SESSION = array();
header("Location: http://domain.com/");
}
exit();
?>
I've tried to remove the if statement to check for any problem when destroying the session.
I have even used unset and setting the array to empty.
Still when redirected to the domain homepage the user is still logged in and the session is still set.
Also i tried to unset the specific session and still nothing happens.
--
Update:
The session is not even being return as an empty value. Echoing the session after logout still returns the value of the username.
This answer should help. As Roland Starke mentioned in a comment, session_destroy will not remove a cookie.
https://stackoverflow.com/a/3512570/3563178
try this.
<?php
session_start();
if(session_destroy()) {
echo '<meta http-equiv="refresh" content="0;URL=http://domain.com">';
}
exit();
?>
I think the header is throwing an error in this particular case of yours. hmmmm.....(Header already sent)...
I created a log out page and calling it through a href link but it not working the session was not destroying. Help me, the code n link are below.
logout.php
<?php
session_start();
session_unset();
session_destroy();
header("location:index.php");
?>
Make sure the file is on same server.
Write this code on the very top of everything else.
Additionally use this code
session_unset();
session_write_close();
session_destroy only destroys session on server end not the cookies, make sure you are not using cookies, if yes then see below code
To Set cookie
setcookie("cookieName", $value, time()+3600);
To Unset Cookie
setcookie("cookieName", $value, time()-36000);
More details about session: PHP: session_destroy - Manual
You probably need to regenerate the session ID:
session_regenerate_id();
In my working platform i endedup with a session_destroy problem
function logout()
{
$_SESSION['id'] = '';
session_destroy();
}
Here i unset the session id variable with a null value and uses the session_destroy() function to destroy the session.
But the problem is that after logged out from my account, when i press the back button of the browser it shows the status as logged in. Even i can browse through the profile and links of my account.
Thank you
you must unset session as well as destroy session to remove it completely from your system.
you can do it with php functions..
session_unset(); or you can use unset($_SESSION);
session_destroy();
it think you should try using session_unset()
In order to kill the session altogether, like to log the user out, the session id must also be unset.
If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that
<?php
session_start();
$sessionName = session_name();
$sessionCookie = session_get_cookie_params();
session_unset();
session_destroy();
setcookie($sessionName, false, $sessionCookie['lifetime'], $sessionCookie['path'], $sessionCookie['domain'], $sessionCookie['secure']);
?>
Try this:
unset($_SESSION);
session_destroy();
session_regenerate_id();
Instead of rolling your own session code and possibly missing something, try using Zend_Session:
http://framework.zend.com/manual/en/zend.session.html
The constructor of Zend_Session_Namespace will automatically call session_start(), and likewise the Zend_Session::destroy() method will clean everything up in a logout script. Most of the work has already been done for you.