session log out problem

Junior Poster

180 posts since Oct 2007

Reputation Points: 10

Solved Threads: 2

huh! How do you know it creates another session ?

Purple hazed!

Moderator

4,465 posts since Nov 2007

Reputation Points: 524

Solved Threads: 356

I'm using Mozilla Firefox. After I logged it, I checked the cookies, there will only 'YourVisitID' under localhost. Then when I press log out button, It will redirect me back to the i.dex.php. Then I tried to copy & paste the direct link to the admin's page., it still works. then I went to check the cookies again, and what I saw under localhost was the intial session 'YourVisitID' was still there and not destroyed and there will be another cookie named 'PHPSESID'.

Advise please.

Junior Poster

180 posts since Oct 2007

Reputation Points: 10

Solved Threads: 2

Are you validating existence of session in admin's page ? Try ths simple example.

<?php //page1.php
session_start();
$_SESSION['name']="test";
echo "<a href='page2.php'>Click here</a>";
?>

This is page2.php

<?php
session_start();
if(!empty($_SESSION['name'])){
 echo $_SESSION['name'];
} else {
 echo "Invalid session";
}
?>

Well, if you try to access page2.php directly, you will get Invalid session. Are you doing a check like this one in admin's page ?

Purple hazed!

Moderator

4,465 posts since Nov 2007

Reputation Points: 524

Solved Threads: 356

Here is what I do

secure.php

<?php
     session_start();
     if (empty($_SESSION['username'])) {
     header("location:index.php");
     exit; }
 ?>

logout.php

<?php
     session_start();
      if($_SESSION["status"]="logged") {
      session_unset(); 
      session_destroy();
       header( "Location:../index.php" ); 
      exit();
     } else { 
       if ($_SESSION["status"]="not logged") {
//the session variable isn't registered, the user shouldn't even be on this page 
       header( "Location:../index.php" ); 
      exit();
    }
  }
?>

Vai

Junior Poster in Training

75 posts since Jan 2008

Reputation Points: 12

Solved Threads: 5

yes I've the validation check on the admin page.

Junior Poster

180 posts since Oct 2007

Reputation Points: 10

Solved Threads: 2

I'm using Mozilla Firefox. After I logged it, I checked the cookies, there will only 'YourVisitID' under localhost. Then when I press log out button, It will redirect me back to the i.dex.php. Then I tried to copy & paste the direct link to the admin's page., it still works.

Can you post your script of admin's page ? When you run the logout script, sessions should get destroyed. Check if there are still values in the session variable :S

Purple hazed!

Moderator

4,465 posts since Nov 2007

Reputation Points: 524

Solved Threads: 356

<?php
     session_start();
      if($_SESSION["status"]="logged") {
      session_unset(); 
      session_destroy();
       header( "Location:../index.php" ); 
      exit();
     } else { 
       if ($_SESSION["status"]="not logged") {
//the session variable isn't registered, the user shouldn't even be on this page 
       header( "Location:../index.php" ); 
      exit();
    }
  }
?>

Take a look at those if statements. Those are SETTING $_SESSION['status'], not comparing them. Comparisons use ==

ShawnCplus

Code Monkey

Team Colleague

1,583 posts since Apr 2005

Reputation Points: 526

Solved Threads: 268

<?php
// Send NOTHING to the Web browser prior to the session_start() line!

// Check if the form has been submitted.
if (isset($_POST['submitted'])) {

	require_once ('mysql_connect.php'); // Connect to the db.
		
	$errors = array(); // Initialize error array.
	
	// Check for an email address.
	if (empty($_POST['username'])) {
		$errors[] = 'You forgot to enter your Username.';
	} else {
		$u = escape_data($_POST['username']);
	}
	
	// Check for a password.
	if (empty($_POST['password'])) {
		$errors[] = 'You forgot to enter your password.';
	} else {
		$p = escape_data($_POST['password']);
	}
	
	if (empty($errors)) { // If everything's OK.

		/* Retrieve the user_id and first_name for 
		that email/password combination. */
		$query = "SELECT user_id, first_name FROM adminprofile WHERE username='$u' AND password='$p'";		
		$result = @mysql_query ($query); // Run the query.
		$row = mysql_fetch_array ($result, MYSQL_NUM); // Return a record, if applicable.

		if ($row) { // A record was pulled from the database.
				
			// Set the session data & redirect.
			session_name ('YourVisitID');
			session_start();
			$_SESSION['user_id'] = $row[0];
			$_SESSION['first_name'] = $row[1];
			$_SESSION['agent'] = md5($_SERVER['HTTP_USER_AGENT']);

			// Redirect the user to the loggedin.php page.
			// Start defining the URL.
			$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
			// Check for a trailing slash.
			if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
				$url = substr ($url, 0, -1); // Chop off the slash.
			}
			// Add the page.
			//$url .= 'loggedin.php';
			
			//header("Location: $url");
			header("Location: loggedin.php");
			exit(); // Quit the script.
				
		} else { // No record matched the query.
			$errors[] = 'The username and password entered do not match those on file.'; // Public message.
			$errors[] = mysql_error() . 'Query: ' . $query; // Debugging message.
		}
		
	} // End of if (empty($errors)) IF.
		
	mysql_close(); // Close the database connection.

} else { // Form has not been submitted.

	$errors = NULL;

} // End of the main Submit conditional.

// Begin the page now.
$page_title = 'Login';
include ('./includes/header.html');

if (!empty($errors)) { // Print any error messages.
	echo '<h1 id="mainhead">Error!</h1>
	<p class="error">The following error(s) occurred:';
	foreach ($errors as $msg) { // Print each error.
		echo " - $msg\n";
	}
	echo '</p><p>Please try again.</p>';
}

// Create the form.
?>
<h2>Login</h2>
<form action="login.php" method="post">
	<p>Username: <input type="text" name="username" size="20" maxlength="15" /> </p>
	<p>Password: <input type="password" name="password" size="20" maxlength="15" /></p>
	<p><input type="submit" name="submit" value="Login" /></p>
	<input type="hidden" name="submitted" value="TRUE" />
</form>
<?php
include ('./includes/footer.html');
?>

loggedin.php(admin page)

<?php
# User is redirected here from login.php.

session_name ('YourVisitID');
session_start(); // Start the session.

// If no session value is present, redirect the user.
if (!isset($_SESSION['agent']) OR ($_SESSION['agent'] != md5($_SERVER['HTTP_USER_AGENT'])) ) {

	// Start defining the URL.
	$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
	// Check for a trailing slash.
	if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
		$url = substr ($url, 0, -1); // Chop off the slash.
	}
	//$url .= 'index.php'; // Add the page.
	//header("Location: $url");
	header("Location: index.php");
	exit(); // Quit the script.
}

// Set the page title and include the HTML header.
$page_title = 'Logged In!';
include ('./includes/header1.html');

// Print a customized message.
echo "<h1>Logged In!</h1>
<p>You are now logged in, {$_SESSION['first_name']}!</p>
<p></p>";

include ('./includes/footer.html');
?>

Advise pls.

Junior Poster

180 posts since Oct 2007

Reputation Points: 10

Solved Threads: 2

Maybe this isn't working. Print some statements inside this loop and execute this script (without logging in). if (!isset($_SESSION['agent']) OR ($_SESSION['agent'] != md5($_SERVER['HTTP_USER_AGENT'])) ) {

Purple hazed!

Moderator

4,465 posts since Nov 2007

Reputation Points: 524

Solved Threads: 356

<?php
// This is the logout page for the site.

// Include the configuration file for error management and such.
require_once ('mysql_connect.php'); 

// Set the page title and include the HTML header.
$page_title = 'Logout';
include ('./includes/header.html');
$MM_redirectLoginFailed = "index.html";
$MM_redirecttoReferrer = true;

// If no first_name variable exists, redirect the user.
if (isset($_SESSION['first_name'])) {

	// Start defining the URL.
	//$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
	// Check for a trailing slash.
	//if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
		//$url = substr ($url, 0, -1); // Chop off the slash.
	//}
	// Add the page.
	//$url .= '/index.html';
	
	ob_end_clean(); // Delete the buffer.
	//header("Location: $url");
	//header("Location: index.html");
	echo "<script type='text/javascript'>location.href='$MM_redirectLoginSuccess';</script>";
	exit(); // Quit the script.
	
} else { // Logout the user.

	$_SESSION = array(); // Destroy the variables.
	session_destroy(); // Destroy the session itself.
	//session_unset();
	setcookie (session_name(), '', time()-300, '/', '', 0); // Destroy the cookie.

}

// Print a customized message.
echo "<h3>You are now logged out.</h3>";

include ('./includes/footer.html');
?>

I've tried this code and the errors are:

Warning: session_destroy() [function.session-destroy]: Trying to destroy uninitialized session in C:\xampp\htdocs\cycle\logout.php on line 34

Warning: Cannot modify header information - headers already sent by (output started at C:\xampp\htdocs\cycle\includes\header.html:7) in C:\xampp\htdocs\cycle\logout.php on line 36

Please help.

Junior Poster

180 posts since Oct 2007

Reputation Points: 10

Solved Threads: 2