1

I have a three PHP scripts (logout.php, index.php, session.php) that I use in a larger application. I incorporated session.php (to serve as a mechanism to control preserving page view for pressing back button on the browser).

I am trying to make the logout.php clear cache and the logged in user info on the webpage but no matter what I do I can not seem to logout. That is, the user still remains on my page as logged in.

How can I logout to ensure that the user does not appear as logged in on my index.php page?

session.php

<? 
  session_cache_limiter('public');
  session_start();
?>

logout.php

<?php
    session_start();
    $_SESSION['expire'] = "<META HTTP-EQUIV=\"EXPIRES\" CONTENT=\"Mon, 02 May 2015 21:00:00 GMT\">";
    header('Location: index.php');                                             
?>

beginning of index.php script

<?php   
    session_start(); 
    if (isset($_SESSION['expire']))
    {              
        echo $_SESSION['expire'];
        session_unset();
        session_destroy();
        unset($_SESSION);
    } 
?>

Error Log shows the following each time I try to logout.

PHP Notice: A session had already been started - ignoring session_start() in index.php on line 6 <-- this is referring to where I have session_start() in my if block in my local code.

EDIT - Modified index.php

<?php
    if (isset($_SESSION['expire']))
    {      
        session_start();        
        echo $_SESSION['expire'];
        session_destroy();
    } 
    else
    {
        require_once('session.php');
    }
?>

Latest index.php script

<?php
    if (session_status() === PHP_SESSION_NONE)
    {
        require_once('session.php');
    }
    else
    {
        session_start();  
        if (isset($_SESSION['expire']))
        { 
            $expire = $_SESSION['expire'];
            session_destroy();
            echo $expire;
        }
    }
?>
Vahe
  • 1,699
  • 3
  • 25
  • 76
  • 1
    Note you are using short tags `` instead of ` – Michael Berkowski Jan 31 '16 at 01:12
  • When I add back the regular tag and when I die() before I redirect to index.php my browser is still redirecting to index.php. What I am puzzled about is why after I add die(); that the script still redirects to index.php. I tried ini_set and error_reporting but I did not see any errors. – Vahe Jan 31 '16 at 01:15
  • I might be wrong, but the issue here is most likely that echo before destroying the session. I might add, `session_destroy` is enough, you don't need to call `session_unset` at all and please do NOT do `unset($_SESSION)`, just don't. – ggg Jan 31 '16 at 01:21
  • @ggg, I am trying to echo the meta tag to try to remove any cached info. Do you suggest not echoing before session_destroy()? – Vahe Jan 31 '16 at 01:24
  • At what point do you have `session_start()` inside the `if ()` block? That's not above, and unless you have additional calls to `session_start()` in index.php you would not see that error. – Michael Berkowski Jan 31 '16 at 01:25
  • I didn't notice that echo in the unset block - that potentially cause the "headers already sent" error when attempting to modify the session cookie state. – Michael Berkowski Jan 31 '16 at 01:26
  • 1
    @MichaelBerkowski, I edited the code to have session_start() correctly placed in my if block. I had it incorrect initially. There are no errors in php error log, only that the user still remains when I go to logout.php. – Vahe Jan 31 '16 at 01:31
  • right, so the "session already started" error is usually caused by multiple `session_start` calls - there still is an issue with that echo that should go after `session_destroy`: just store `$_SESSION['expire']` inside a variable and echo that variable after you finished working with the session. – ggg Jan 31 '16 at 01:34
  • When I comment out session_cache_limiter('public'); and try to reload the page after I add a test message echoed from my if block, I get only the old message? Is this a caching issue and if so why can't I see new content echoed even though there is caching happening? – Vahe Jan 31 '16 at 01:50
  • Ok, so after inserting in an html5 doctype and a one time refresh meta tag output ( to counter the need to press logout twice) I succeeded in logging out. I will post my answer below. – Vahe Jan 31 '16 at 02:23

1 Answers1

0

I formulated the code below for my scripts which resolved the logout issue I was encountering. I narrowed down the cause of my issue to probably incorrectly interpreted/parsed html code im my browser which I noticed as red tags in my page source code.

After adding in the doctype and the metatags after the doctype in the php script before <html> tag I got my page to logout successfully!

index.php

 <!DOCTYPE html>
    <?php
        session_start();
        if (session_status() === PHP_SESSION_NONE)
        {
            require_once('session.php');
        }
        else if (isset($_SESSION['expire']))
        { 
            $expire = $_SESSION['expire'];
            session_destroy();
            echo $expire;
            echo "<meta http-equiv='refresh' content='0; url=index.php'>";
        } 
    ?>
    <html>
    ... rest of code not shown

session.php

<?php 
  session_start();
  session_cache_limiter('public');
?>

logout.php

<?php
    session_start();
    $_SESSION['expire'] = "<META HTTP-EQUIV=\"EXPIRES\" CONTENT=\"Mon, 02 May 2015 21:00:00 GMT\">";
    header('Location: index.php');                                             
?>
Mr Lister
  • 45,515
  • 15
  • 108
  • 150
Vahe
  • 1,699
  • 3
  • 25
  • 76
  • Still unsure as to why I need to press logout twice but I temporarily got a solution that is close to what I needed. I will investigate the issue further to see why I still need to press logout twice. – Vahe Jan 31 '16 at 02:30
  • You _cannot_ place the ` ` declaration before the PHP code. The call to `session_start()` will fail there because you have already sent output. Did you already have that indented whitespace before the opening ` – Michael Berkowski Jan 31 '16 at 02:46
  • For example, it may not be that the logout has actually completed successfully, but rather that you just don't see the active session reloaded on that script because the `session_start()` call has failed because of the doctype placement. – Michael Berkowski Jan 31 '16 at 02:47
  • I did move down the doctype to below php code following the suggestion and when I try to access a page that is restricted to logged in users I can not access the page I am forced to log back in again with appropriate credentials. I am hopeful that this resolves the issue. But I am still uncertain as to why I have to do a double click on logout. – Vahe Jan 31 '16 at 03:09