php session: page still accessible after logging out

Question

I am trying to build a php session login system. At the moment , I am getting some problems. the dashboard page (after successful login) does to show the session username, also the dashboard page remains accessible, even after logging out. here is my code

login.php

session_start();
    include('dbconfig.php');
        if (isset($_SESSION['username'])){
            header('Location:dashboard.php');
        }

 if(isset($_POST['btn'])){
            $username=$_POST['username'];
            $password=$_POST['password'];
            if(empty($username)){
                echo "Required field: You must enter username";
            }elseif(empty($password)){
                echo "Required field: You must enter password";
            }else{
           
            $stmt=$pdo->prepare("SELECT * FROM admin WHERE username=:username AND password=:password" );
            $stmt->bindParam('username',$username);
            $stmt->bindParam('password',$password);
                $stmt->execute();
                $row=$stmt->fetch(PDO::FETCH_ASSOC);
              
                    if($row>0){
                        $_SESSION["username"]=$_POST["username"];
                          
                        header('Location:dashboard.php');
                        
                    }else{
                         echo "Username or Password does not match";
                    }
            }
        }

dashboard.php

 <?php     
        session_start();
       include('dbconfig.php');
        if (!isset($_SESSION['username']) ){
            header('Location:login.php');
        }
    ?>    

 <h5 class="text-white"><?php echo $_SESSION['username'] ?></h5>

logout.php

<?php  
    session_start();
   session_unset();
    session_destroy();
     header('Location:login.php');

Put a `die();` after every `header('Location: login.php');` And a space after `Location:`, I think that will solve the problem — Daantje, Aug 14 '21 at 13:00
@Daantje thanks for your help. unfortunately it did not work. I ended up getting a blank dashborad page. — user13800891, Aug 14 '21 at 13:38
**Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) — Dharman, Aug 14 '21 at 16:44

score -2 · Answer 1 · answered Aug 14 '21 at 14:55

-2

You have to add a semicolon to your code :

<h5 class="text-white"><?php echo $_SESSION['username']; ?></h5>

answered Aug 14 '21 at 14:55

Robin

12

thanks but it didnt make any difference @robin – user13800891 Aug 14 '21 at 15:03
Why would they need a semicolon there? There's already `?>` which is the same thing – Dharman Aug 14 '21 at 16:45

php session: page still accessible after logging out

1 Answers1