1

having trouble figuring this one out. I know that it's not best practice to store this information in a cookie, but it's for a school project and my professor just asked to do it this way.

Here is the code where you log in and the cookie is set | admin.php:

'

<?php
if (!isset($_COOKIE['loggedIn'])) {
  if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="My Realm"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Text to send if user hits Cancel button';
    exit;
  } else if($_SERVER['PHP_AUTH_USER'] == "user1" &&
    $_SERVER['PHP_AUTH_PW'] == "pass1") {
    //make the cookie
    setcookie("loggedIn", "user1/pass1", time() + 60);
  } else {
    header('HTTP/1.0 401 Unauthorized');
    echo "Invalid Credentials";
    exit;
  }
} else {
  if (isset($_COOKIE['loggedIn']) && $_COOKIE['loggedIn'] == "user1/pass1") {
   //YAY DO NOTHING ITS ME
  } else {
    header('HTTP/1.0 401 Unauthorized');
    echo "Invalid Credentials";
    exit;
  }
}
?>

'

And here is the code that I was trying to run to delete the cookie and Logout, so when you visit the admin.php page again you would have to enter the credentials again.. but it doesn't seem to work.
logout.php :

'

<?php 

    if(isset($_COOKIE[session_name()])):
            setcookie(session_name(), '', time()-7000000, '/');
        endif;

    if(isset($_COOKIE['loggedIn'])):
        setcookie('loggedIn', '', time()-7000000, '/');
    endif;

    session_start();
    session_unset();
    //unset($_SESSION["nome"]);  
    // where $_SESSION["nome"] is your own variable. if you do not have one use only this as follow **session_unset();**
    header("Location: index.php");

 ?>

'

Thanks in advance for any help!

Kira
  • 61
  • 2
  • 9
  • 1
    Don't use session_unset(). It's the complement of session_register(), and that's been deprecated for a long time. it'd only be useful if you actually used `session_register` anyways. If you want to clear the session, then `$_SESSION = array()` will do that for you. – Marc B Dec 08 '14 at 18:34
  • Do I put `$_SESSION = array()` in place of `session_unset();` ? – Kira Dec 08 '14 at 18:38
  • @MarcB I tried doing that, I can still just click on my admin page and I'm automatically logged in. – Kira Dec 08 '14 at 18:43
  • 1
    do a shift-F5 "force reload". you could very well just be looking at a cached page. – Marc B Dec 08 '14 at 18:44
  • @MarcB I did a force reload, and tried manually emptying my browsers cache.. still automatically logging me in. :( – Kira Dec 08 '14 at 18:53
  • then it's probably the http auth login still in effect. until the server invalidates that login (e.g. you output an http 401 unauth as part of your logout), then the browser will just resend the user/pass again and auto-login: http://stackoverflow.com/questions/233507/how-to-log-out-user-from-web-site-using-basic-authentication – Marc B Dec 08 '14 at 19:38

1 Answers1

0

There's a pretty comprehensive example on php.net: http://php.net/manual/en/function.session-destroy.php

<?php
session_start();

// Unset all of the session variables.
$_SESSION = array();

if(isset($_COOKIE[session_name()])):
    setcookie(session_name(), '', time()-7000000, '/');
endif;

if(isset($_COOKIE['loggedIn'])):
    setcookie('loggedIn', '', time()-7000000, '/');
endif;

// Check session cookies
if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000, $params["path"], $params["domain"], $params["secure"], $params["httponly"]);
}

// Finally, destroy the session.
session_destroy();
//session_unset();
//unset($_SESSION["nome"]);  
// where $_SESSION["nome"] is your own variable. if you do not have one use only this as follow **session_unset();**
header("Location: index.php");

Notice unsetting the session array: $_SESSION = array(); deleting the session cookie; and destroying the session: session_destroy();

Thanks,

Andrew

versalle88
  • 1,139
  • 1
  • 7
  • 19
  • I used the code that you answered with, I still can't get it to ask me to log in again.. it just goes straight to the admin page. – Kira Dec 08 '14 at 18:55
  • After you unset the session and go back to the admin page, does this statement return true and log you back in: else if($_SERVER['PHP_AUTH_USER'] == "user1" && $_SERVER['PHP_AUTH_PW'] == "pass1") { //make the cookie setcookie("loggedIn", "user1/pass1", time() + 60); } – versalle88 Dec 08 '14 at 19:07