Simple Logout Script

Question

I'm using the code below to log users in. When the new session is created they are redirected to a new page - content.php. I wonder what's the best way/the proper way to destroy the session and log out the users, redirectiong them back to the index.php.

<?php 
if (isset($_REQUEST['signin'])){

$username = $_POST['username'];
$password = $_POST['password'];

$query = "SELECT * FROM `user` WHERE username='$username' and password='$password'";
$result = mysql_query($query) or die(mysql_error());
$count = mysql_num_rows($result);

if ($count == 1){
$_SESSION['username'] = $username;
header('Location: content.php');
}
else{
echo "Invalid Login Credentials.";
}
}
if (isset($_SESSION['username'])){
$username = $_SESSION['username'];
header('Location: content.php');
}
?>


<form method="post" name="login">
        <?php 
        if (isset($msg) & !empty($msg)) {
                    echo $msg;
                    }
        ?>
        <label for="username">Username:</label><br>
        <input type="text" name="username"><br>
        <label for="password">Password:</label><br>
        <input type="password" name="password"><br>
        <button type="submit" name="signin">Sign in</button>
</form>

I know that there are flaws in this script (e.g. not encrypted password), but for now I'm looking for a simple script to log out.

Its seems like the theme of today but using `mysql_*` is deprecated and will be removed soon. Please start using [`PDO`](http://php.net/pdo). PS you are also susceptible to [SQL Injects](http://bobby-tables.com/) — 13ruce1337, Mar 21 '14 at 22:45
Or using MySQLi. I personally prefer MySQLi, but PDO is also an option. — Spencer D, Mar 21 '14 at 23:09

nettux · Answer 1 · 2014-03-21T22:56:45.283

1

session_start();
$_SESSION = array();
if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
        setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}
session_destroy();
header("Location: index.php"); exit;

edited Mar 21 '14 at 22:56

answered Mar 21 '14 at 22:45

nettux

5,270
2
23
33

1

This answer is basically the same as the one at the PHP documentation http://us2.php.net/manual/en/function.session-destroy.php which is good. – developerwjk Mar 21 '14 at 22:51
But if there is code after the redirect, shouldn't you add a `return;`? – developerwjk Mar 21 '14 at 22:53
@developerwjk no, you want [`exit()`](http://stackoverflow.com/questions/3553698/php-should-i-call-exit-after-calling-location-header) – 13ruce1337 Mar 21 '14 at 22:55
I see your point but I think ````exit```` is more appropriate. – nettux Mar 21 '14 at 22:56
I was thinking `return;` I guess because that's what you would use in Java/JSP after a redirect. – developerwjk Mar 21 '14 at 22:57
Afaik, using return in a non function context would return some sort of warning, exit is best to call after a header redirection – Daryl Gill Mar 21 '14 at 23:02

score 1 · Answer 2 · answered Mar 21 '14 at 22:45

1

First things first you need to sanitize your inputs so

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);

Now, as for clearing a session. Your logout script should useunset

unset($_SESSION['username']);
unset($_SESSION['password']);

answered Mar 21 '14 at 22:45

Victory

5,811
2
26
45

Never ever store the password in a session. – Jordi Kroon Mar 21 '14 at 22:47
@JordiKroon and with that don't keep the password, encrypt it. even if you have to use [`md5()`](http://www.php.net/md5) – 13ruce1337 Mar 21 '14 at 22:50
@13ruce1337 In 99,9% of all cases you don't need to store the password in a session. – Jordi Kroon Mar 21 '14 at 22:54
@JordiKroon I agree with you, just adding if you HAVE to keep the password whether by `$_SESSION` or `SQL` you would want to encrypt it. – 13ruce1337 Mar 21 '14 at 22:56

score 1 · Accepted Answer · answered Mar 21 '14 at 22:46

1

The best and most simple way to logout a user is to destroy the whole session or unset the necessary session keys.

session_destroy();
// or...
unset($_SESSION['username'];

header('Location: index.php');

I prefer the unset because you might want to store more data in the session array.

answered Mar 21 '14 at 22:46

Jordi Kroon

2,607
3
31
55

should I have a separate file for that? something like logout.php ? – dirigibleplum Mar 21 '14 at 22:49
That's your own choice. Remember to always start the session by session_start() before you call session functions. – Jordi Kroon Mar 21 '14 at 22:51
i have included a separate connection.php file, where I have session_start(); is it ok to place it there? – dirigibleplum Mar 21 '14 at 22:54
1

Having session_start() in another php file is fine as long as you include that php file in every file that you need to access php variables for or you call session_start in the php files that you don't include "connection.php" to. – Spencer D Mar 21 '14 at 23:07
You should always ask yourself, do I need this variable e.g. To say goodbye username... Yes, add it. No, don't. – Jordi Kroon Mar 22 '14 at 00:29

Spencer D · Answer 4 · 2014-03-21T22:58:55.773

First of all, please check your query variables before you query, otherwise you run the risk of SQL injection.

Next, when you set up a session, you must call session_start(); at the top of your script to utilize the session.

Finally, to log the user out, you simply call session_destroy(); and the existing session is destroyed.

I have rewritten your code a little

<?php 
session_start();
if (isset($_REQUEST['signin'])){
    $username = $_POST['username'];
    $password = $_POST['password'];

    $sql_connection = new mysqli("dbHost", "dbUsername", "dbPassword", "dbName");
    if($sql_connection->connect_errno){
        die("db error");
    }
    $username = $sql_connection->real_escape_string($username);
    $password = $sql_connection->real_escape_string($password);
    $query = "SELECT * FROM `user` WHERE username='$username' and password='$password' LIMIT 1;";
    $result = $sql_connection->query($query) or die("db error");
    $count = $result->num_rows;

    if ($count == 1){
        $_SESSION['username'] = $username;
        header('Location: content.php');
        die();
    }else{
        echo "Invalid Login Credentials.";
    }
}elseif(isset($_SESSION['username'])){
    $username = $_SESSION['username'];
    header('Location: content.php');
    die();
}
?>
<form method="post" name="login">
        <?php 
        if (isset($msg) & !empty($msg)) {
                    echo $msg;
                    }
        ?>
        <label for="username">Username:</label><br>
        <input type="text" name="username"><br>
        <label for="password">Password:</label><br>
        <input type="password" name="password"><br>
        <button type="submit" name="signin">Sign in</button>
</form>

This uses MySQLi instead of MySQL due to the impending removal. It also escapes the input and sets up the session.

score 0 · Answer 5 · answered Oct 11 '20 at 01:44

0

<?php
if (!isset($_SESSION)) { session_start(); }

$_SESSION = array(); 

session_destroy(); 

header("Location: login"); //login.php if you havent setup your htaccess to use without.php
exit();
?>

answered Oct 11 '20 at 01:44

UniDoX

1

Thanks for the contribution. Code-only answers are flagged as low-quality; future visitors would surely appreciate a brief explanation of how this works and why it's a good solution to the problem. – ggorlen Oct 11 '20 at 02:20

Simple Logout Script

5 Answers5

Linked