My site uses a simple login system that creates a cookie for the username and a login session. If someone visits home.php and the login session is set as logged in, they are pushed to the logged in area. Otherwise they login using a simple form and handler page. To logout users click a link which takes them to logout.php which contains the following code:
<?
session_start();
setcookie(username, $username, time()-360000);
session_start($_SESSION['login']);
$_SESSION["Login"] = "no";
header("Location: home.php");
session_destroy();
?>
Here is what is going on. Users who click the logout button are kicked out to the page home.php correctly. If they refresh the page they remain on the home.php page. Seems good so far.
However, if they navigate away from the home page, they are brought into the logged in area. And if they go to the url of a logged in area they are not kicked out (because the session checking script confirms the session value is set as logged in).
I'm dumbfounded. I am not a PHP pro by any means though--what am I doing wrong???
To invalidate your session you only need to delete your cookie.
setcookie("username", "", time()-360000);
will do the job. please note that username should be in quotes " otherwise it will not refer to a cookie name.
So your code in logout will be like below
<?
session_start();
setcookie("username", "", time()-3600);
header("Location: home.php");
?>
When User Logs in and is validated you need to set a cookie for them and then redirect them to your authenticated url
You also need to check your cookie at start of each page in your authenticated area like following
<?
session_start();
if (!isset($_COOKIE["username"]))
header("Location: home.php");
?>
hope this helps
Here is another sample of setting, using and deleting cookies
Related
like in when you logged out, it redirects automatically into the log in page.
when I use this code
it just says "this page isn't working localhost redirected to many times
Set the session and session variable after user login successful if user click log-out then unset session variable or destroy the session
Login-check page :
session_start();
$_SESSION['login']=true;
header("location:dashbord.php");
Log-out page:
session_start();
unset($_SESSION['login']);
if(!isset($_SESSION['login']) && empty($_SESSION['login'])){
header("location:index.php");
die;
}
This is my PHP code to end the session but when I click on the back button it still go back into my previous page.
<?php
session_start();
if(session_destroy()) // Destroying All Sessions
{
header("Location: login.php"); // Redirecting To Home Page
}
?>
Really you should not be able to view a page if you are not logged in. Just do this on the top of every page.
<?php
session_start();
//check some value that lets you know if a user is logged in.
if(empty($_SESSION['user_id'])){
header("Location: login.php")
}
the redirect will happen even if your site is cached.
take a look here: http://php.net/manual/en/function.session-destroy.php
This just deletes all data within session but not the session itself, You have also to delete the session id and the session cookie (setcookie())
I used this to hide links until after the user is logged in, and was just wondering if this will cause any security issues or other issues in production code? I have been testing it and cannot find an issue so far as the website will not give a session_id until after the user logs on.
if(session_id()){echo ' EWO '...
There is no problem in this code until you put a session check also in the file
if session id is not set then send them back to home page.. Because if user knows the URL then they can navigate to the link
Make sure to add a function which will redirect the users to the login page as soon as the session gets destroyed i.e logout.
Also, as mentioned by #Saeed Ansari, add some logic to your project so only the login page is rendered when there is no active session or the user is not logged in.
HTH.
Either way, if your solution is to simply 'hide this link' until the user has logged in, this is not constructive code.
You should have a user object or user $_SESSION identifier registered in the session for when the user logs on.
For example. User logs on, you set a flag $_SESSION['Username'] = "Bob", where Bob is the user's username.
Then in your code, you could do something along the lines of:
if(array_key_exists('Username', $_SESSION)) { echo ' EWO '; }
Then when a user logs into your site successfully, register their username (atleast) in the $_SESSION, ie
$_SESSION['Username'] = 'Bob';
It is a good idea to have full control over your session by using session variables, rather than just relying on if a session has an ID.
It is never safe to assume, so I would also recommend (if you haven't done so) checking in the ewo.php file for the same thing ... check if the session has a registered Username/etc and if not redirect header('Location: /'); for example, to redirect the user back to the home page.
You could do it via a Session.
If you wanna check if the variable is set (User is logged in) in the session use:
<?php
session_start();
if (isset($_SESSION['username'])) {
echo "Your link here";
} else {
echo "login first";
}
?>
I've got a login page then I made a link to a page called logout and it contains this code:
logout.php
<?php
session_unset();
session_destroy();
header("Location:");
?>
Yet when I log out then hit the back button it takes me back. How do I change it so that it ask you to login again before showing you your previous page?
On the page you're going back to (or any page for that matter) you need to do checks to see if the user is logged in or not (i.e. has a valid session) and if not, redirect them to the login page.
Additionally, it might help for you to add some no-caching headers to this particular piece of code.
You have not set any location to redirect to.
Should be:
header("Location:http://example.com/login.php");
This way when you logout, it will redirect the browser to login.php.
EDIT:
Also, it would help to add a session validation condition to your main page.
Somenthing like:
if(!isset($_SESSION))
{
header("Location:http://example.com/login.php");
}
Before loading every page (or atleast, every PRIVATE/RESERVED page) you should check the $_SESSION variable to determine if the user is legally logged in or not.
If you don't perform this check, everybody would be able to visit every page of your website if they have the direct link to it. They may see a broken version of the page, but the access is granted nevertheless to not logged users.
<?php
session_start();
session_unset();
session_destroy();
session_write_close();
setcookie(session_name(),'',0,'/');
session_regenerate_id(true);
?>
source: Manual
try this to check on each page if the user is logged in
if (!$_SESSION['logged_in']) { //you would have to make $_SESSION['logged_in'] when they login
header('location: login.php');
}
all this does is say if $_SESSION['logged_in'] is NOT set redirect them to the login page.
You would also need to other checks to make it secure.
I am trying to set all of my pages to forward to the login screen if the user is not logged in using session data, however it is not working. When a user clicks the links it just continues to the new link as opposed to being forwarded to the login page. I know the session data is cleared so that is not the issue.
Here's the relevant Code:
Page Headers:
<?php
session_start();
if(!isset($_SESSION['answer']))
{
header('Location: /?login');
exit;
}?>
Login Session Declaration:
$answer = mssql_fetch_array($res);
$_SESSION['answer']=$answer[0];
Logout:
<?php
session_start();
session_destroy();
if(!isset($_SESSION['answer']))
{
header('Location: /?login');
exit;
}
?>
session_destroy doesn't unset any global variables.
If you need to redirect unconditionally right after session destroy - just remove isset, you don't need it.
In response on how to do this on every other page:
I use a required at the beginning of every secured php page on my site. I call it "auth.php". If the user is not logged in(check via session variable), the auth.php re-directs them to the login page.
If you have a header, this is a great place to put it (if it's only included in the secured section, which mine is).
My logout page destroys the session and sends them to the login page.