1

I've got a problem. When I click to <a href="logout.php"> Logout </a> , I have a redirect to login.php, but if I open home.php again, then no redirect and user stays in a system. I mean there is no session destroy. Here is code:

login.php

<?php
session_start();
if (isset($_POST['submit']))
    {     
include("config.php");


$username=$_POST['username'];
$password=$_POST['password'];

$_SESSION['login_user']=$username;

$query = mysql_query("SELECT username FROM login WHERE username='$username' and password='$password'");

 if (mysql_num_rows($query) != 0)
{

 echo "<script language='javascript' type='text/javascript'> location.href='home.php' </script>";   
  }

  else
  {
echo "<script type='text/javascript'>alert('User Name Or Password Invalid!')</script>";
}

}

?>

home.php

<html>
<head>
<title>Untitled Document</title>
</head>
<body>    
<h1>Welcome 
<?php 
session_start();
$login_session=$_SESSION['login_user'];
echo $login_session;?> </h1>
<a href="logout.php"> Logout </a>
</body>
</html>

logout.php

<?php
session_start();
if(session_destroy())
{
header("Location: login.php");
}
?>
Ector
  • 83
  • 4
  • 3
    **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Feb 02 '17 at 15:02
  • 3
    ***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Feb 02 '17 at 15:02
  • 3
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Feb 02 '17 at 15:03
  • 2
    `unset($_SESSION)` before you destroy. – Jay Blanchard Feb 02 '17 at 15:03
  • Why you use the if clause? just use `session_destroy(); header("Location: login.php");` it should work. – Mr. K. O. Rolling Feb 02 '17 at 15:05
  • OK, i understand about passwords and not use mysql_* functions. Please write me where have i paste unset($_SESSION) – Ector Feb 02 '17 at 15:07
  • Mr. K. O. Rolling, it doesn't work – Ector Feb 02 '17 at 15:13

0 Answers0