-1

I made a login function using PHP, I have a variable called '$loggedIn' in a php class. How would I set this to false when a user clicks on the logout button?

XLordalX
  • 584
  • 1
  • 7
  • 25
  • 1
    Any number of ways, but as php is stateless, theres not much point. Perhaps you should provide more information – Steve Jul 29 '14 at 15:27
  • 1
    You do understand php does not persist internal script state between calls, right? – Cthulhu Jul 29 '14 at 15:27
  • Here is a really good tutorial on this: http://www.2my4edge.com/2013/07/simple-login-logout-system-using-php.html – Krupal Shah Jul 29 '14 at 15:31

2 Answers2

3
  1. Redirect to another page named logout.php where session_destroy(); or similar method is executed and set the value of $loggedIn to false there
  2. Add an ajax call to send request to logout.php where session_destroy(); or similar method is executed and set the value of $loggedIn to false there

Upon destroying the session, redirect user to homepage/sign in page using header('location:signin.php');

Please note that the names logout.php or signin.php are just to make the example clear.

Fallen
  • 4,435
  • 2
  • 26
  • 46
  • 4
    Do not forget to add die or exit after header :) It's a security vulnerability – Canser Yanbakan Jul 29 '14 at 15:29
  • 2
    It doesn't appear the OP is using `$_SESSIONS`. Since PHP is stateless, the variable is garbage collected after script execution. The user is never actually logged in. – War10ck Jul 29 '14 at 15:31
  • 1
    @R.CanserYanbakan no, it is not any security vulnerability. People add `exit()` as simplest solution for potential `Headers already sent` issue. – Marcin Orlowski Jul 29 '14 at 15:32
  • @War10ck See this post: http://stackoverflow.com/questions/3553698/php-should-i-call-exit-after-calling-location-header – Canser Yanbakan Jul 29 '14 at 15:33
  • @R.CanserYanbakan I'm not following? I was talking about the headers. I was referencing the use of `session_destroy();`. In this case it makes no sense. The OP is not using `$_SESSION` at all... – War10ck Jul 29 '14 at 15:35
  • Sorry, @MarcinOrlowski See my second comment. – Canser Yanbakan Jul 29 '14 at 15:36
  • @War10ck: I assumed an object of `a php class` was stored in session. – Fallen Jul 29 '14 at 15:39
  • 1
    @R.CanserYanbakan: Usually I add `exit();` after every `header('location...');` but I wrote the answer just to introduce the terms to OP so s/he can check those things out :) – Fallen Jul 29 '14 at 15:41
0

You should have a database with users to login, then you should check the DB to make sure the username and password is correct (and HASHED & SALTED). Then you should not use a $loggedIn variable, you need to use sessions.

The code below is highly abstracted and assumes a knowledge of database interaction. This page would run form something like signin.php

<?php

session_start();

auth()
{
    //DB logic here that compares $_POST['<username_field_name>'] and hashMethod($_POST['<password_field_name>']) to a returned row from the database
    //If it is valid return true
    if(<db logic conditions here>){
        return true;
    }
}

if(isset($_POST['<username_field_name>']) && isset($_POST['<password_field_name>'])))
{
    if(auth()){
        $_SESSION['loggedIn'] = 'true';
    }
}
else
{
    //Call for login form here
}

Once that is done you can simply destroy the session. http://php.net/manual/en/function.session-destroy.php

This code would be in logout.php.

<?php
session_destroy();
header('location:signin.php')

This is not by any means the best authentication at all! There are many factors that you need to worry about such as SQL injection but this gives you a core working system. What you really should do is learn a framework link Zend or Laravel that has built in best-practice authentication systems.

Laravel Secruity docs http://laravel.com/docs/security

Zend Framework Auth docs http://framework.zend.com/manual/1.12/en/learning.multiuser.authentication.html

I recommend Laravel if you are just learning.

Heath N
  • 533
  • 1
  • 5
  • 13
  • I've already done the MySQL stuff, also MD5. I am now using sessions. Thanks. – XLordalX Jul 29 '14 at 15:43
  • *spits out coffee* MD5?! – Danieloplata Jul 29 '14 at 15:44
  • XLordalX, don't use MD5, it has so many issues and rainbow tables out there. Use at very least SHA1. http://www.tbs-certificates.co.uk/FAQ/en/sha256.html. ALSO! You need to sanitize all user inputs. You could write a custom clean method or lift one from a number of projects. See here: http://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php – Heath N Jul 29 '14 at 15:49