I do the following to set my session, this works because the echo appears. but when I go to the next page or another the session is not there? what am I doing wrong?
$session_start();
if ($username==$dbusername&&$password==$dbpassword)
{
echo"<b>Login Successful</b><br><a href='systemadmin.html'><br>Click here to access the <strong>System Admin Page</strong></a>";
$_session['username']=$dbusername;
if($username == "admin")
{
$_session['admin'] = true;
}
I am trying to get the following to work with these sessions:
<?php
session_start();
if($_session['admin'] == true)
{
// do nothing
}else{
header( 'Location: home.html' ) ;
}
?>
Update:
the uppercase sessions work but now the sessions arent destroying when i use the logout.php
<?php
session_start();
session_destroy();
header("location: home.html");
?>
$_session should be => $_SESSION.
http://php.net/manual/en/reserved.variables.session.php
The first works because you are setting a 'normal' variable (which is available for the request).
UPDATE
To destroy the session:
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
?>
http://php.net/manual/en/function.session-destroy.php#example-4368
Additionaly you should always use exit(); after you do a redirect to prevent further execution of the script.
PHP Server/Session/Global variables are case sensitive. To PHP, $_SESSION is NOT the same variable as $_session, even though to you in English, they seem to be. You must use $_SESSION, not $_session in order to access the PHP Session variables as you are expecting.
You have to use exit(); after the header(); because the script doesn't always end right after the user redirects to a new page.
The name of the superglobal is $_SESSION in uppercase letters. Try changing that and see if it helps.
Related
I have done a memberpage using an external interface to check if the user is allowed to login to the memberpage. The code looks like this
<?php
require (__DIR__ .'/Permission/checkUser.php');
if (isset($_POST['submit'])){
session_start();
$errors = array();
if (empty ($_POST ['user']) ||
empty ($_POST ['password'])) {
$errors[] = 'Användarnamn och passord får inte vara tomt';
}
$checkuser = new checkUser();
if ($checkuser->checkUser($_POST ['user'], $_POST ['password']) == false){
$errors[] = 'Kontrollera user och lösenord';
}
if (count($errors) == 0) {
$_SESSION['userid'] = md5(microtime());
$_SESSION['start'] = time();
wp_redirect( get_permalink( 18341 ) );
die;
}
}
?>
If a succesful result from the SOAP call is returned the user are redirected to memberpage. The code fore memberpage are as following
<?php
require_once 'sessioncheck.php';
get_header();
$container = get_theme_mod( 'understrap_container_type' );
?>
After performing the check the HTML are presenting the memberpage content.
The sessioncheck.php has the following code:
<?php
session_start();
if (!isset($_SESSION['userid'])){
//session does not exist send back to loginpage
header('Location: memberLogin');
}
if (isset($_SESSION['start']) && (time() - $_SESSION['start'] > 1800)) {
// last request was more than 30 minutes ago
session_unset(); // unset $_SESSION variable for the run-time
session_destroy(); // destroy session data in storage
header('Location: memberLogin');
}
?>
It is suppose to unset and destroy the session if 30 minutes has passed.
My problem is that sometimes, often after a session has expired the redirect in the first code does not work. Its actually not even trying to load the memberpage. I first thought I had some problems with the session variables but now I think there might be some garbage from the session that causes this problem. It semse to be intermittent but I have asked other to test the page (using the right cred) and they always semse to be able to login on there first attempt to fail later on.
What am I doing wrong? Using PHP 7.4 with the latest WP core.
EDIT:
Added the following code to clean up sessions and cookie
$_SESSION = array();
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
Now everything works fine when I am logged in as an adminuser in wordpress. However, as soon as I log out it stops working. However, the session is saved and if I log in again at WP, then I am able to enter the memberpage without doing the login procedure. I updated the page in WP (memberpage) and it worked again. This is all confusing me right now... :(
Solved, clearing Session cookie and purged cache solved the issue. Needed exclude memberpage from cache. Didnt work with LiteSpeed cache
I am trying to destroy a session when a session is selected but it is not being destroyed:
if (isset($_POST['primary_cat'])) {
$_SESSION['primary_cat'] = $_POST['primary_cat'];
unset($_SESSION['secondary_cat']);
}elseif(empty($_SESSION['primary_cat'])) {//define primary_cat
$_SESSION['primary_cat'] = null;
}
When I change $_POST['primary_cat'] this is changed but $_SESSION['secondary_cat'] is not being destroyed. How can I destroy $_SESSION['secondary_cat']
This is how I completely destroy the one and only session I have:
session_start();
$_SESSION = array();
if (isset($_COOKIE[session_name()])) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000, $params["path"],$params["domain"], $params["secure"], $params["httponly"]);
echo " Zerstöre Cookie... ";
}
#session_unset();
#session_destroy();
Maybe it helps you to adapt your code for your specific session.
if (isset($_POST['primary_cat'])) {
$_SESSION['primary_cat'] = $_POST['primary_cat'];
unset($_SESSION['secondary_cat']);
} elseif (empty($_SESSION['primary_cat'])) {//define primary_cat
$_SESSION['primary_cat'] = null;
}
You should try these instead:
if (isset($_POST['primary_cat'])) {
session_destroy();
$_SESSION['primary_cat'] = $_POST['primary_cat'];
} else if (!$_SESSION['primary_cat']) {
//your business
}
An explanation to that is on clicking or selecting
"primary_cat"
it should run that block of code else it won't run that code and if it does, you the
session_destroy();
Destroys active session and the below creates a new session due your specifications.
Your code seems ok, problem might be from your browser.
make sure session is started. if it's still not destroyed, then close your browser and restart apache.
But also make sure you are not setting $_SESSION['secondary_cat'] somewhere else your code.
To be sure, do the following after unsetting $_SESSION['secondary_cat']
if(isset($_SESSION['secondary_cat'])){
echo '<script type="text/javascript">alert("the session still has value : '.$_SESSION['secondary_cat'].'");</script>';
}
else
echo '<script type="text/javascript">alert("session has been unset");</script>';
The above will display a javascript alert showing "the session still has value : thevalue" if the session was not unset or "session has been unset" if it really has been unset
hope this helps
try this...
if(isset($_SESSION['secondary_cat'])&&!empty($_SESSION['secondary_cat'])){
unset($_SESSION['secondary_cat']);
}
I have a form that includes SS numbers. I have done all the security/injections,spamming and validation stuff as it is not included in the question.
basically I want to destroy session data after the form emails both the user and the agent. and wipe the server clean afterward.
Do i do this like this on the final page of the form?
notes:
page 1 user will input all the data.
page 2 uses session to input the data into a conformation page that the user hits the submit button and the mailer mails the info and takes them to page 3 the success page
Technically once the data gets to page 2 I don't need the session anymore
<form id="form_958713" class="appnitro" method="post" action="mailer.php
<?php
// Initialize the session.
session_start();
// Unset all of the session variables.
$_SESSION = array();
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
?>
">
or do i do it on the mailer itself?
snippet:
// gives success or error
if(!$mail->Send()) {
echo 'Message could not be sent.';
exit;
}
echo '
<meta http-equiv="refresh" content="0;url=http://www.website.com/GetaQuoteSuccess.php">
';
// Initialize the session.
session_start();
// Unset all of the session variables.
$_SESSION = array();
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
?>
what is the best method/place to put the code to wipe the session?
Destroying the session is a very bad idea. In this site these 2 pages may be the only place you use $_SESSION but normally it is used for many things.
Instead try this concept :-
Form1.php ( the form that captures data from the user )
just posts data to form2.php
Form2.php
<?php
$session_start()
// validate $_POST of course, and once valid
$_SESSION['post_data'] = $_POST
// other code
header('Location: form3.php');
exit;
?>
Form3.php
<?php
session_start();
// use $_SESSION['post_data']['field1'] etc however you want
. . .
// at end of script if you no longer want this data
unset($_SESSION['post_data']);
// the post-data array will no longer exists in $_SESSION
// **But other data in $_SESSION is still there**
Oh but dont use unset($_SESSION); there be dragons
If you really need to destroy the whole session then do it at the end of the main script
I'm trying to make a simple logout script for my site, but for some reason, I can't kill this cookie. I was able to kill another cookie which I named "fontCookie" but this default-named one won't go away. What could be causing this issue? This is what I have, and I repeat, fontCookie is being destroyed:
<?php
session_start();
if(isset($_SESSION["loggedin"])){
$_SESSION = array();
if(isset($_COOKIE['fontCookie'])){
setcookie('fontCookie', '', time() -42000);
}
if ( isset( $_COOKIE[session_name()] ) ){
setcookie( session_name(), '', time()-42000);
}
session_destroy();
header('Location: http://google.com');
}
else{
header('Location: http://google.com');
}
?>
It seems you need to call session_name() before session_start()
The session name is reset to the default value stored in session.name
at request startup time. Thus, you need to call session_name() for
every request (and before session_start() or session_register() are
called). refer here
Try deleting cookie like this.
setcookie('fontCookie', '', time() -42000);
$_COOKIE["fontCookie"] = null;
unset($_COOKIE["fontCookie"] );
In case somebody knows, how can I make a hyperlink in PHP...
<?php
echo( 'Log-out' );
?>
that would not only to navigate to the first page, but also remove cookies?
Thanks!
You can make another page which clears all the cookies (i.e. sets them to expire in the past) and then redirects to index.php:
// page: clear.php
<?php
session_start();
$_SESSION = array();
session_destroy();
setcookie('cookie1', '', strtotime('-2 days'));
setcookie('cookie2', '', strtotime('-2 days'));
// etc.
header('Location: index.php');
exit();
I usually use the method prescribed by the manual:
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
?>
The only thing that remains is header('Location: index.php');
Submit a parameter in your link like index.php?logout=true, check for that parameter in your index.php and if set, delete cookies:
http://php.net/manual/de/function.setcookie.php
If you set the "lifetime" (expire) of a cookie to something in the past (or leave it out completely), it will be removed on the next pageload (do a Google search for "php delete cookie" to find help). Force a page reload, if needed.
You may also want to destroy the user's session.
Here's your HTML link
Log-out
And your PHP to handle to logging out
if(isset($_GET['logout'])) {
// clear the session variable, display logged out message
}
Use link like that:
<?php
echo( 'Log-out' );
?>
And index.php is:
<?php
$link = $_GET["link"];
if($link == "logout")
{
session_destroy();
}
?>
In the navigation menu:
Log out
In logout.php:
<?php
// kill the session
header('Location: index.php');
exit();
For killing the session, see the example at session_destroy() in the PHP manual.
Logout Link:
Log Out
logout.php
<?php
session_start();
session_destroy();
?>