0

I have made this simple login script (without accessing the database) but the session remains active (after closing the browser) even if the 'remember me' button is not checked. How do I correct this...

<?php

define('LOGIN_URL', '/ab_batch/login/newlogin.php');

session_start();

$display_user = false;

$loginForm = [
  'username' => [
      'value' => '',
      'error' => false,
      'err_msg' => ''
  ],  

];

    if ( isset($_POST['submit']) ) {

        $username = trim($_POST['username']);
        $remember = ( isset($_POST['remember']) && '1' == $_POST['remember'] ) ? true : false ;

        if ( empty($username) ) {

            $loginForm['username']['error'] = true;
            $loginForm['username']['err_msg'] = "required";
        }

        else {

            $loginForm['username']['error'] = false;

            $_SESSION['username'] = $username;

           if ($remember) {
            setcookie('my_cookie', $username, 180+time() , '/');

           } 

        }



    }


    if ( isset($_GET['action']) && 'logout' == $_GET['action'] ) {

        if ( isset($_COOKIE['my_cookie']) && !empty($_COOKIE['my_cookie']) ) {

            setcookie('my_cookie' , null , -3600+time() , '/');

        } 

        session_destroy();

        header('Location: ' .  LOGIN_URL);
        exit();
    }


    $session_user = null;

    if ( isset($_COOKIE['my_cookie']) && !empty($_COOKIE['my_cookie']) ) {

        $_SESSION['username'] = $_COOKIE['my_cookie'];

    } 

    if ( !$loginForm['username']['error'] && isset($_SESSION['username']) ) {
        $session_user = $_SESSION['username'];
        $display_user = true;


    }

?>

<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8">
        <title>Login</title>

        <style type="text/css">

            .reqd {

                color: red;
            }

            .result {

                padding: 5px;
                background-color: grey;
                border: 1px solid black;
            }

        </style>
    </head>
    <body>

        <?php if(!$display_user): ?>
        <form action="" method="post">

            <p>
                <label for="username">Username: <span class="reqd">* <?php echo
                $loginForm['username']['error'] ? $loginForm['username']['err_msg'] : ''; ?></span></label><br />
                <input type="text" name="username" />
            </p>

            <p>
                <label for="remember">Remember me </label>
                <input type="checkbox" value="1" name="remember" />
            </p>
            <p>
                <input type="submit" name="submit" value="Login" />
            </p>
        </form>


        <?php else: ?>

        <div class="result" >
            <h3>Welcome <?php echo $session_user; ?> </h3>
            <a href="?action=logout">Logout </a>
        </div>

        <?php        endif; ?>
    </body>
</html>

Below is the link to the source code

https://codeshare.io/tHDHa

maxhb
  • 8,554
  • 9
  • 29
  • 53
Abhijit Borkakoty
  • 141
  • 2
  • 11
  • make sure that `session.cookie_lifetime` is set to 0, if you want a true "destroy on browser close" cookie. – Marc B Jun 03 '16 at 14:28

2 Answers2

0

Sessions don't expire on the server just because the browser is closed. Sessions are server side. If you want to end the session on browser window closing, you would need to write a javascript AJAX request that calls session_destroy() on the server.

<script type="text/javascript">
   window.onbeforeunload = function (event) {
       // Make an ajax call to run session_destroy() on server
       $.ajax({url: "your.server.com/path/session_destroy.php", success: function(result){
          console.log(result);
       }});
   }
</script>

Then you would have a file on your server named session_destroy.php. That file would contain - 

<?php

session_destroy();

This is an incredibly rudimentary implementation, but should accomplish what you're wanting to do.

Wes
  • 467
  • 3
  • 11
  • i don't know much about ajax...can I not do it simply writing few php lines of code?? – Abhijit Borkakoty Jun 03 '16 at 14:24
  • @AbhijitBorkakoty - how would the server know you closed the window? The client and server are not interlinked automatically. Let me update the code to help you out. – Wes Jun 03 '16 at 15:14
  • There is also documentation for an INI setting that can perhaps to this automatically without JS, but you would want to test it on a lot of browsers to make sure it really works across devices/browsers - http://php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime – Wes Jun 03 '16 at 15:26
0

Try this:

ini_set('session.cookie_httponly', true);
ini_set('session.use_cookies', true); 
ini_set('session.use_only_cookies', true); 
ini_set('session.use_trans_sid', false);

I hope this helps!

Allan Andrade
  • 670
  • 10
  • 26