0

I have created a user authentication system with necessary DB tables and php.

THe first time before I login (Before any SESSION is created) the redirect on every page works perfect (ie Redirects to the login page if not logged in).

But once I login with a user and then logout the same doesnt work. I think it might be a problem with not ending the SESSION (Sorry if am wrong)

Here are some pieces of the code in each Page

Login PHP 

    <?php
session_start();
$message="";
if(count($_POST)>0) 
{
    include('config.php');
    echo $_POST['username'];
    $result = mysql_query("SELECT * FROM members WHERE username='" . $_POST["username"] . "' and password = '". $_POST["password"]."'");
    $row  = mysql_fetch_array($result);
    if(is_array($row)) 
    {
    $_SESSION["id"] = $row[ID];
    $_SESSION["username"] = $row[username];
    $_SESSION["password"] = $row[password];
    $_SESSION["mname"] = $row[mname];
    $_SESSION["fname"] = $row[fname];
    date_default_timezone_set("Asia/Calcutta");
    $lastlog=date("d/m/Y");
    $logtime=date("h:i a");
    $query = "UPDATE `members` SET `lastlogin`='$lastlog',`logintime`='$logtime' WHERE `ID`='$row[ID]'"; 
    mysql_query($query);
    $_SESSION['logged'] = TRUE; 
    } 
    else 
    {
        echo "<SCRIPT>
        alert('Wrong Username/Password or Awaiting Approval');
        </SCRIPT>";
        header("Location:login_failed.html");
    }
}
if(isset($_SESSION["id"])) {
header("Location:member/myprofile.php");
}
?>

PHP code on every page

<?php
session_start();
include('config.php');
if(!$_SESSION['logged'])
{
header("Location: ../login.html");
exit;
} ?>

And Finally Logout

    <?php
session_start();
unset($_SESSION["id"]);
unset($_SESSION["username"]);
unset($_SESSION["password"]);
unset($_SESSION["mname"]);
unset($_SESSION["fname"]);
header("Location:../login.html");
?>

Is there any problem with my Code. Am i missing something? I couldn't get it right. Pls Help

Thanks guys got it solved..

Now can you tell me How I can redirect login.php to user home page(myprofile.php) in case the User is logged in (Session exists) - Like facebook,gmail etc

Sharan Mohandas
  • 861
  • 1
  • 9
  • 25

4 Answers4

2

Instead of calling unset() on each session var, you can simply use session_destroy(), which will destroy all of the current session data.

session_start();
session_destroy();
header("Location:../login.html");

For complete destructive power, you might also want to kill the session cookie:

setcookie(session_name(), '', 1);

See this question for a more complete example of session logout.

Community
  • 1
  • 1
Mark Miller
  • 7,442
  • 2
  • 16
  • 22
  • thank you problem solved....:-) How can i redirect login.php to user home page(myprofile.php) in case the User is logged in (Session exists) - Like facebook,gmail etc – Sharan Mohandas Jun 25 '14 at 05:07
  • @user3765203 At the top of `login.php`, below `session_start()`, put `if(isset($_SESSION['logged'])) header('Location: myprofile.php')` or something to that effect.... better yet, on the code `on every page`, add, `else header('Location: myprofile');` – Mark Miller Jun 25 '14 at 05:12
  • Ok Fine i will do that. Currently for login i am using login.html which then passes values via post to login.php.. So I should change it to a single page login.php for redirect.. Shouldn't I? – Sharan Mohandas Jun 25 '14 at 05:19
  • @user3765203 Ya probably – Mark Miller Jun 25 '14 at 05:21
  • Sorry if this sounds stupid - But a guy told me i'm prone to SQL injection if i do the entire php coding in login page... He suggested to use this method.. Is that correct? – Sharan Mohandas Jun 25 '14 at 05:22
  • @user3765203 Yes, you are definitely prone to SQL injection - as it is now, or if you change the file structure. It has nothing to do with where the php code is. It is because you are inserting user input directly into your query. `...WHERE username='" . $_POST["username"] . "'...`. To fix, don't use `mysql_*` functions. Look into using `mysqli` or `pdo`. [Start here](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Mark Miller Jun 25 '14 at 05:28
1

You need to unset $_SESSION['logged']

Also you should reference keys in the $row variable with strings. Eg $row['username'];.

Turning on E_NOTICE level warnings with error_reporting will help you with this.

Scopey
  • 6,269
  • 1
  • 22
  • 34
0

If you haven't already, reset the session login

unset($_SESSION['logged']);

Or just change it to false 

$_SESSION['logged'] = false;
Apollo
  • 36
  • 2
0

When you are directly hitting a page in address bar for the first time then its a new request which goes to the server and server checks for existing session as written in your code. But its not same when you are pressing back button after logout. In this case there is no request is going to the server instead the request is fetched from browser cache. If you want to disable this situation then you have to tell browser explicitly to not to store your page in cache memory. For more detail please go through this link

Community
  • 1
  • 1
if-else-switch
  • 977
  • 1
  • 7
  • 24