Logout Button isn't terminating my current session

Question

So I was recently started working on a login and register page. After doing all the necessary connections and such, I realized my logout button wasn't working.

Not sure exactly why the button isn't working, because I'm not getting any error message when I click it.

I tried using different Session Handles thinking it might work.

 <?php
    session_start();
    unset($_SESSION['id']);
    session_destroy(); // Destroying All Sessions
    header("Location: ../index.php"); // Redirecting To Home Page
    ?>
  this is my logout.inc.php

That didn't change anything, so I thought it was something to do with how I structured my form actions.

 <?php
  if (!isset($_SESSION['id'])) {
    echo '<form action="includes/logout.inc.php" method="post">
      <button type="submit" name="logout-submit">Logout</button>
    </form> ';
  }
  else if (isset($_SESSION['id'])) {
    echo '<form action="includes/login.inc.php" method="post">
      <input type="text" name="mailuid" placeholder="E-mail/Username">
      <input type="password" name="pwd" placeholder="Password">
      <button type="submit" name="login-submit">Login</button>
    </form>
    <a href="signup.php" class="header-signup">Signup</a>';
  }
   ?>

I'm presuming, the problem is something to do with my login script

<?php

if (isset($_POST['login-submit'])) {
  require 'dbh.inc.php';
  $mailuid = $_POST['mailuid'];
  $password = $_POST['pwd'];

  if (empty($mailuid) || empty($password)) {
    header("Location: ../index.php?error=emptyfields");
    exit();
  }
  else {
    $sql = "SELECT * FROM users where uidUsers=? OR emailUsers=?;";
    $stmt = mysqli_stmt_init($conn);
    if (!mysqli_stmt_prepare($stmt, $sql)){
      header("Location: ../index.php?error=sqlerror");
      exit();
    }
    else {
      mysqli_stmt_bind_param($stmt, "ss", $mailuid, $mailuid);
      mysqli_stmt_execute($stmt);
      $result = mysqli_stmt_get_result($stmt);
      if ($row = mysqli_fetch_assoc($result)) {
        $pwdCheck = password_verify($password, $row['pwdUsers']);
        if ($pwdCheck == false) {
          header("Location: ../index.php?error=wrongpassword");
          exit();
        }
        else if ($pwdCheck == true) {
          session_start();
          $_SESSION['userId'] = $row['idUsers'];
          $_SESSION['userUid'] = $row['uidUsers'];
          header("Location: ../index.php?login=success");
          exit();
        }
        else {
          header("Location: ../index.php?error=wrongpassword");
          exit();
        }
      }
      else {
        header("Location: ../index.php?error=nouser");
        exit();
      }
    }
  }
}
else {
  header("Location: ../index.php");
  exit();
}

?>

But even then, I don't know where to start so I was hoping someone could help find something I missed or something that needs to be changed.

My expected output is that the logout button when clicked, will completely terminate the current session and start a new one, which in turn will transfer me to the login/sign up page.

    <?php

  require "header.php";
?>

    <main>
      <div class="wrapper-main">
        <section class="section-default">
          <!--
          We can choose whether or not to show ANY content on our pages depending on if we are logged in or not.
          -->
          <?php
          if (!isset($_SESSION['userId'])) {
            echo '<p class="login-status">You have Successfully logged In!</p>';
          }
          else if (isset($_SESSION['userId'])) {
            echo '<p class="login-status">You are logged Out!</p>';
          }
          ?>
        </section>
      </div>
    </main>

<?php
  // And just like we include the header from a separate file, we do the same with the footer.
  require "footer.php";
?>
this is the index.php file

you don't need to use `form` for logout. a simple url button will do. `Logout` — fazrinwiraman, Sep 19 '19 at 06:06
perhaps you can [see this discussion](https://stackoverflow.com/questions/6472123/why-is-php-session-destroy-not-working) on your problem about sessions. — fazrinwiraman, Sep 19 '19 at 06:12
Do not use session_start() in the logout page. I can see that after destroying the session you are redirecting the user to the index.php instead of login.php. — Tony Manuel, Sep 19 '19 at 06:50
@TonyManuel my login page is on a navigation bar in the index page, so is my logout button. My login bar won't appear without clicking the logout button, and vice versa. So I need to try and start a new session, where I have to input my credentials again. — Neshant Thiru, Sep 19 '19 at 07:18
I just edited the post and added the index.php code. @TonyManuel — Neshant Thiru, Sep 19 '19 at 09:27
Have a look at your if condition. You condition says that if session user id is not set print you are logged in and if it is set you are logget out. It should be the other way. If session is set then user is logged in and if not set user is logged out — Tony Manuel, Sep 19 '19 at 09:33

score 0 · Answer 1 · edited Sep 19 '19 at 06:49

0

In logout.inc.php try this code

if(isset($_POST['logout-submit']))
{
 unset($_SESSION['userId']);
 header("Location: ../index.php");  
}

edited Sep 19 '19 at 06:49

theduck

2,589
13
17
23

answered Sep 19 '19 at 06:08

matheen ulla

526
7
27

score 0 · Answer 2 · answered Sep 19 '19 at 06:32

0

Try the following in logout.inc.php

session_start();
session_destroy();

foreach($_SESSION as $k => $v) {
   unset($_SESSION[$k]);
   session_unset($k);
}

header('Location: '../index.php');

answered Sep 19 '19 at 06:32

Thrallix

699
5
20

score 0 · Answer 3 · answered Sep 19 '19 at 07:36

You dont need form to specifically post it, eitheir way you can do it still, the better solution is to keep logout url in <a>.

This will redirect to that page and then delete/destroy your session.

<?php
  if (!isset($_SESSION['id'])) {
    echo '<a href=includes/logout.inc.php>Logout</a>';
  }
  else if (isset($_SESSION['id'])) {
    echo '<form action="includes/login.inc.php" method="post">
      <input type="text" name="mailuid" placeholder="E-mail/Username">
      <input type="password" name="pwd" placeholder="Password">
      <button type="submit" name="login-submit">Login</button>
    </form>
    <a href="signup.php" class="header-signup">Signup</a>';
  }
?>

logout.inc.php

<?php 
session_start();
unset($_SESSION['id']);
session_destroy(); // Destroying All Sessions
header("Location: ../index.php"); // Redirecting To Home Page
?>

index.php

<?php 
if(!isset($_SESSION['id']))
{
    header("Location: login.php"); //redirect ot login page
}
else
{
    //do your operations
}
?>

I am fearing that you are giving wrong path to logout, if it is proper try debugging it to check is it actually referring to this page and then if yes destorying session check it is rdirecting back to proper page.

Logout Button isn't terminating my current session

3 Answers3