1

Whenever I run the logout.php script then go back to a page that is protected without login it will have me still logged in

logout.php

<?php

session_start(); 
session_unset();
session_destroy();
header("Location: ../index.php");
exit();
?>

login.php

$userlogin = user_login($email, $password.$salt);
    if ($userlogin==false){
        $errors[]='Wrong email/password combination.';
    } else {
    //set the user session
        $_SESSION['UserId']=$userlogin;
        $_SESSION['LoginIP']=$_SERVER['REMOTE_ADDR'];
        $db->query("UPDATE users SET ipadd='".$_SERVER['REMOTE_ADDR']."' WHERE user_id=".$_SESSION['UserId']."");
        echo '<meta http-equiv="refresh" content="0; URL=index.php">';

Check logged in snippet 

/* Check if user is logged in or not */
function loggedin(){
return (isset($_SESSION['UserId'])) ? true : false;
}
if (loggedin()==true){
$session_user_id = $_SESSION['UserId'];
$user_data = user_data($session_user_id,'full_name','username');
$rezult =$db->query("SELECT ipadd FROM users WHERE user_id=".$_SESSION['UserId']."");
while($rez = $rezult->fetch_assoc()){
    if  ($rez['ipadd']==$_SERVER['REMOTE_ADDR']) {
    } else {
    echo '<meta http-equiv="refresh" content="0; URL=logout2.php">';
    }

}
}

Been look at posts with the same question but whatever I try still getting the same issue. Any advice would be extremely appreciated!

Rand
  • 87
  • 2
  • 9

5 Answers5

1

this is from php.net http://php.net/manual/en/function.session-destroy.php Note: You do not have to call session_destroy() from usual code. Cleanup $_SESSION array rather than destroying session data.

so you just need $_SESSION = null, and logout should happen.

Denis Stiblo
  • 31
  • 1
0

I think in your index.php file should have these line:

if(!isset($_SESSION["session_name"])){
     header("Location: somewhere_mainpage.php");
}

It is better to make all pages have these line. These line will send header to another page if no session has started.

Mr Hery
  • 829
  • 1
  • 7
  • 25
0
<?php
session_unset();
session_destroy();
header("Location: ../index.php");
?>

should work, otherwise you could unset the values

<?php
unset($_SESSION['UserId']);  // Unsets the UserId Variable reuse for each variable 
session_destroy();
header("Location: ../index.php");
?>

have you tried just session_destroy() ?

also I'm not sure wether you need session_start() when you are closing the session, from memory you only need it to start the session

Justin Bland
  • 43
  • 1
  • 12
0

I always like to destroy the server session, and client cookie, try to manually cover all options in case of any errors.

You can destroy the cookie in PHP with:

setcookie(session_name(), '', time() - 3600, $cookie_path, $cookie_domain, $cookie_secure, $cookie_httponly );


<?php
$cookie_path = "...";
$cookie_domain = "...";
$cookie_secure = "...";
$cookie_httponly = "...";

session_start();
session_unset();
session_destroy();
setcookie(session_name(), '', time() - 3600, $cookie_path, $cookie_domain,$cookie_secure, $cookie_httponly );
header("Location: ../index.php");
exit();

time() - 3600 makes the cookie expiry before the current time, which makes it invalid.

Another option to investigate is session_regenerate_id() on your logout pages. Some reference pages are below:

php.net - session-regenerate-id

https://stackoverflow.com/a/22965580/1246494

Bradmage
  • 1,233
  • 1
  • 15
  • 41
0

I believe that session_start(); function call should be on your login page when the user login data is correct, and in your logout PHP code, you should set

session_destroy(); or unset($_SESSION['UserId'];

Logout.php:

 <?php
    session_destroy();
    /* * OR * */
    //unset($_SESSION['UserId'];
    header("Location: ../index.php");
    exit();
    ?>
  • 1
    I agree. `session_start();` should be on EVERY page. I can only assume OP has it since `login.php` looks like partial code. – Bradmage Dec 03 '17 at 11:15