when a user logouts from my web site they are logged out but on the logout page there username and the log out link and profile link are still visible on the logout page but not on any other pages.
All I want to know is how do I change the logout page so that the log out and proflie links and username are not displayed like the rest of the pages.
I'm using the same file where the links and username are displayed for every web page so what is the problem with the logout page?
Please leave a code sample to solve this problem if possible?
If you’re using a session based authentication, make sure that you reset the $_SESSION variable as session_destroy does not do that. So:
session_destroy();
$_SESSION = array();
I can only guess that your logic goes something like:
Display page header including logo, logout button and links;
Process the logout request.
I'm assuming that (1) will do things like display the right links and the username (if logged in). The point is that you're doing checks on being logged in before you log the user out. If so, just change the order:
Logout the user;
Display the page header, etc.
But it's hard to say definitively because I'm guessing at your page structure.
it sounds like you include the code that displays the logout and profile links before you actually do the processing to log the user out. try seeing if you can rearrange the execution of your code so the include comes after youve already logged the user out.
<?php
session_start();
$_SESSION = array();
session_unset();
session_destroy();
header('login.php')
?>
Maybe you can try my method
You can try things as per other answers ..
Or just create a logout.php .. which doesn't output anything so you just start the session, destroy all of the session or the required keys and then redirect the user to a logout_done.php which outputs, something like, You have been successfully logged out blah blah ..
Related
I have recently started web development on my WAMP server and was trying to build a simple login page using php and MySQL. What I simply did was on successful authentication I redirected the user to a new page using : header("Location: locahost/redirect.php"); in my php script.
redirect.php is a simple page which shows that you have successfully logged in.
What I want to ask is that I can simply go to redirect.php by typing localhost/redirect.php in my address bar. Is there any way in which only the user who have been authenticated can visit the page...just like it works on facebook and other websites, we cannot enter into someone's profile by just typing a URL in our address bar.
It is called URL Manipulation.
Validate the information like session in the profile page.
+
do NOT use header('Location: ...') without exit; after it. Always do exit after redirect.
header("Location: locahost/redirect.php");
exit;
Otherwise it'll load the page content and redirects. If somebody avoid the redirect he can see page contents there.
Well, you could add create a Cookie if a user was logged in successfully.
(and maybe set the value to an md5 hash of the date, username and password for example, and also write that to your database so you can check later of somebody "cheated" that Cookie or not)
Then on your redict.php you just have to look if that Cookie exists (and maybe check the value with your database?).
Also if you set your cookie expire value you can control if the user should be logged in only in that session or for example a full month.
I'm sorry I have not done that before, but maybe I could help you with that idea
You can make a PHP code inside the redirect.php page, and make a conditional statement:
If the user is logged in, keep him in the page.
If the user is not logged in, redirect him to the login page.
You have to add this function to redirect.php
function logged_in(){
return (isset($_SESSION['user_id'])) ? true :false;
}
Then add this
if (logged_in()===false){
header('Location: whateverpageyouwant.php');
exit();
}
You can create session on successfully authentication and check this on redirect.php page.
If you dont find session on this page then redirect user back to the login page.
In this way you can restrict direct access to the redirect.php page
Thanks
I am still new in session
Is it good to wipe $_SESSION before using it?
example:
$_SESSION = array();
$_SESSION['id'] = 1;
$_SESSION['name'] = 'Someone';
I am asking opinion from you guys.
Because I don't have many experience in session.
In my awkward logic,
Maybe I will forgot to logout from admin session
and login to member session
So maybe some $_SESSION value from admin will still in $_SESSION array
Additional:
1. I was admin user and not logout yet from admin page.
2. Now I go from admin page to member login page
What should I do here?
Kick admin to the admin page because he is not member?
Nope. In fact, its really bad and your example code will render your sessions useless.
When you call session_start() you are either given an empty $_SESSION or you get back the data you saved to $_SESSION on a previous page load. For more information on sessions check out the PHP docs:
http://php.net/manual/en/book.session.php
http://php.net/manual/en/function.session-start.php
About logging in and out: Your logout process has to destroy whatever session data identifies the user (probably their ID). Typically this is done by using unset, i.e. unset($_SESSION['user_id']).
I can't imagine any other way to log out a user, maybe if you provided more information I could give you a better answer about this.
Regarding your addition it looks like your authentication system could use some work. You shouldn't be able to get to a login page when you are already logged in (even as admin, since its just another user with higher privileges, right?). If you manually type in the login url after you're logged in, then it should redirect you to the homepage.
Here's Fantastic write-up on this topic, I shoulda done some research! Thanks #HamZa
The definitive guide to form-based website authentication
And here's my super basic pseudo code auth process:
Does current page require authentication
Yes:
Is the user logged in?
Yes:
Does the user have the correct privilages to view the page?
Yes:
AUTHENTICATED! Show page
No:
Print a message that says something like, "You're in the wrong place amigo"
No:
Redirect to login
No:
Show the page
I am currently working on developing a simple web system, so an user first will be directed to a login page, then a processing page. If its account data provided is correct, it will be directed to the main page, so it can carry out some actions, at last it can logout.
So what I want to ask is: how can I prevent user to access the processing, main or logout page before they login, I mean, if I do not limit it, the login action is by some means useless. I am using wamp to develop the web system.
I have considered making use of the session variable, however, I have no idea how to check the value of the variable. If I start a session at the login page, so if I skip the login page but directed go to the main page, do I have those session variable present in the main page?
1) Add session_start(); at the top of the php page to initialize sessions.
2) Add if statement
if($_SESSION['logged_in'] == 1) { ..show page.. } else { show login page }
3) Create a login form which validates data, if data is correct then it adds $_SESSION['logged_in'] = 1; and redirects to profile page with logout button.
That's all :)!
I suggest that you check some tutorials, since it will give you some more information how to do that - http://www.intechgrity.com/create-login-admin-logout-page-in-php-w/ or any other link via google - "How to create login/logout functions with SESSIONS".
About your question, in each page you will put session_start(); at the start of the file, they will have all sessions you have specified for user.
EDIT:
Added few useful links -
http://www.php.net/manual/en/book.session.php
http://www.tizag.com/phpT/phpsessions.php/
http://www.w3schools.com/php/php_sessions.asp
well,this is what i will do. Check with an if statement if a session variable that holds, for example, the username from the login page exists, then if it doesn't show an error 404 page, or redirect the user to any error page...you might want to create that yourself anyway (so that it redirects them back to the login page).
<?
session_start();
if(!$_SESSION['username']){
header("Location: HTTP/1.1 404 File Not Found", 404);
exit;}
?>
You could also create a new file and place this code there so that you call it on everypage that will require a user to login before accessing it....
but try to access non login page for the first time then you will be redirected to login page then try to access the same non login page for the second time you'll have the access already even you didn't log-in.
I'm creating a website and I'd like to prevent the user from logging in twice. How would I do that?
Sorry for not being specific. I meant that I don't want to show the login page once the user has logged in. It looks like the answer about using the $_SESSION is the best option.
I'm using PHP by the way.
You will have to use the session eg $_SESSION. Store user info first on logon and then check if that is set and redirect him to some other page you like like profile, panel or even home page.
See the manual for more information:
http://php.net/manual/en/features.sessions.php
On your login page put a bit of logic that detects if they are logged in. If so, redirect them to their profile page or wherever else you want them to go.
Im not exactly sure how you would do that, but you would have to restrict logins to 1 for every ip address. Is that what you are asking? Please be more clear about what you are trying to ask
What language are you using?
I would create a cookie for the user or set a session if php, then you can just check if the session is set in the header of each page.
Create two cookie one for logged in and other for redirection . use session to find the user login activity ..if user try's for the index.php redirect him to home.php or anyother page
Yes use the isset session feature to check if the user is logged in. If they are logged in then use a header location redirect to redirect the user to whatever page you want them to view.
if(isset($_SESSION['username']) && isset($_SESSION['password'])){
header("Location: members.php");
}
Here is an example of how to do it with sessions using DALMP - Database Abstraction Layer for MySQL using PHP
I use PHP sessions with session_start() to maintain state of which user is logged into my site. This works fine by just calling session_start() and the top of all my files once the user is logged in.
However, I'd like to have it so when they click the site's icon in the menu bar, if they are logged in it won't send them to the homepage but rather to their logged in personal page. However, a simple session_start() to recognize the user is logged in and redirect them at the top of the homepage does not work.
None of the session variables are recognized from the home page. Yet the session is not actually killed - I can go back in the history and am still logged into the site. Would there be a reason the homepage should give different behavior than every other page?
No, it shouldn't be different.
In order to see what variables are available in your $_SESSION, you can do this
var_dump($_SESSION);
If it's empty then there is a problem. You can try to see the session_id with the method
echo session_id();
It should be the same session_id in both your logged page and home page. If this is not the case, maybe you are messing up with cookies?
Make sure that session_start() is only being called once. If you call it twice, it could interfere with the session handling. I would recommend that you call session_start() on every page the user can be logged in on (frankly I see no reason not to call it on every page period, but someone please correct me if this is bad) but only once. At that point, you can check the _SESSION and see if the user's logged in key is set. If so, redirect them.
if u are calling session_start() on each page and you don't know that a session is already strated in your include/require pages then use # like this #session_start()
note: although this is not good practice to use #
to send a user to their personal page rather than home page
..u need to develop a logic and also personal page will be based on user id of logged user.On home page something like below
home.php(raw code)
<?php if(!empty($_SESSION['user_id'])) {
header("Location : personal_page.php?id=".$_SESSION['user_id']);
exit();
} else {
//your page code
}
?>
for login via history pages problem:
you create a logout.php to end user session, do not forget to start the session in this page!, using session_start() at the very begging of your script. Thus,
session_start();
session_unset();
session_destroy();
will be the right sequence to end a user's session.
reference
Happy To Help :)