Member Avatar for random_1

Hi, I have a logout script that works just fine but I don't think its actually killing the session(?). so i have index.php, login.php, home.php, session.php, and logout.php. When i logout from home.php I am redirected to index.php, which is great. But when i manually enter the home.php url i can still get into the home.php with the previous session which shouldn't be allowed. It may be how the session is handled? Im not sure.

login.php

<?php
    session_start();

    include_once 'database.php';

    //connection to server

    if(isset($_POST['submit'])){

        try{
            $id = $_POST['id'];
            $pass = $_POST['password'];

            $stmt = $conn->prepare("SELECT * FROM table WHERE id = :id");

            $stmt->bindParam(':id', $id);
            $stmt->execute();

            $results = $stmt->fetch(PDO::FETCH_ASSOC);
            if(count($results) > 0 && password_verify($pass, $results['password'])){
                $_SESSION['id'] = $results['id'];
                header('location: home.php');
            }else{
                $msg = "Invalid login.";
                echo "<script type='text/javascript'>alert('$msg');</script>";
            }
        }
        catch(PDOException $e){
            echo "Error: " . $e->getMessage();
        }
    }
?>

//html code below

home.php

<?php
  include_once 'session.php';
?>

//html code

<h2>Welcome, <?php echo $login_session; ?></h2>

session.php

<?php
    include_once 'db.php';

    //connection

    session_start();

    $id = $_SESSION['id'];

    $query = $conn->prepare("SELECT * FROM table WHERE id = :sid");
    $query->bindParam(':id', $id);
    $query->execute();

    $row = $query->fetch(PDO::FETCH_ASSOC);
    $login_session = $row['name'];
    if(!isset($login_session))
    {
        header("Location: index.php");
    }
?>

for logout.php I've tried a few:

<?php
    session_start();
    session_destroy();
    $home_url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . '/index.php';
    header('Location: ' . $home_url);
?>

<?php
    session_start();

    $_SESSION = array();

    if (ini_get("session.use_cookies")) {
        $params = session_get_cookie_params();
        setcookie(session_name(), '', time() - 42000,
            $params["path"], $params["domain"],
            $params["secure"], $params["httponly"]
        );
    }

    // Finally, destroy the session.
    session_destroy();
?>

<?php
    session_start();

    session_unset();
    header("Location: index.php"); // Redirecting To Home Page
?>

<?php
    session_start();

    if(session_destroy()) // Destroying All Sessions
    {
        unset($_SESSION['fld_staff_id']);
        header("Location: index.php"); // Redirecting To Home Page
    }
?>

So, i don't know, maybe im misunderstanding session?

  • 3 Contributors
  • 3 Replies
  • 442 Views
  • 2 Days Discussion Span
  • Latest Post Latest Post by random_1

Recommended Answers

All 3 Replies

Member Avatar for benanamen

There are numerous issues with your code.

You need to check the request method. Depending on the name of a button being submitted in order for your script to work will completetly fail in certain cases.

Get rid of the try/catch blocks. Php is perfectly capable of handling errors.

Do not output internal sytem errors to the user. That info is only good to hackers.

I assume your use of id is equivelent to a username. In programming id is known in a much differnet sense. Best to change the name.

There is no need to count results. You can simply do if ($results)
You need to kill the script after redirects otherwise the script will keep running.

PHP_SELF is vulnerable to an XSS Attack

This is all you need to completely log out - logout.php

<?php
    session_start();
    session_unset(); //remove all the variables in the session
    session_destroy(); // destroy the session
   die(header("Location: ./login.php?logout"));
Edited by benanamen
Member Avatar for random_1

we were taught to use try/catch blocks. i will get rid of them on all others and won't use them. as for the id, the actual name is different. ahh missing the die. thank you benanamen.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.