I created a page in php to log in users. But once I logged out, if I type a restricted page in the browser I'm able to see it, even if I have logged out.
I have this code at the beginning of the page, any ideas? :) Thanks
<?php
if(!isset($_SESSION)){
session_start();
}
?>
Use session_start always when you need to work with session.
Before session_start no SESSION exists.
Cookies are a great way to control whether or not a user is logged in. A simple, yet insecure way would be to simply write a cookie "loggedin" upon successful login, and delete it upon logout.
More complex cookie login/logout logic could instead store a large, random string that is tracked in the database upon login. Upon logout, the database deletes the random string used for the cookie value, and the cookie is also deleted. This way, even if someone stole the cookie and tried to re-use it, upon page generation, it would check the status of that random string, and deny access to the page.
Hope you're calling session_destroy(); when logging out.
Also, you dont need
<?php
if(!isset($_SESSION)){
session_start();
}
?>
in every page. This should just be in the login page. For every other page, it should be :
<?php
if(!isset($_SESSION)){
//Redirect to login Page
} else {
//User is logged in. Display relevant content.
}
?>
That happens because you did not destroy the session.
To do this, you must create a link to a page where clicking on 'logout' will lead to that page where you must invoke session_destroy(). For example, <a href="path_to_your_page.php">Logout</a>
And in your page, you run this:
<?php
session_start();
session_destroy();
header("location:index.php");
?>