0

Hi, I have a logout script that works just fine but I don't think its actually killing the session(?). so i have index.php, login.php, home.php, session.php, and logout.php. When i logout from home.php I am redirected to index.php, which is great. But when i manually enter the home.php url i can still get into the home.php with the previous session which shouldn't be allowed. It may be how the session is handled? Im not sure.

login.php

<?php
    session_start();

    include_once 'database.php';

    //connection to server

    if(isset($_POST['submit'])){

        try{
            $id = $_POST['id'];
            $pass = $_POST['password'];

            $stmt = $conn->prepare("SELECT * FROM table WHERE id = :id");

            $stmt->bindParam(':id', $id);
            $stmt->execute();

            $results = $stmt->fetch(PDO::FETCH_ASSOC);
            if(count($results) > 0 && password_verify($pass, $results['password'])){
                $_SESSION['id'] = $results['id'];
                header('location: home.php');
            }else{
                $msg = "Invalid login.";
                echo "<script type='text/javascript'>alert('$msg');</script>";
            }
        }
        catch(PDOException $e){
            echo "Error: " . $e->getMessage();
        }
    }
?>

//html code below

home.php

<?php
  include_once 'session.php';
?>

//html code

<h2>Welcome, <?php echo $login_session; ?></h2>

session.php

<?php
    include_once 'db.php';

    //connection

    session_start();

    $id = $_SESSION['id'];

    $query = $conn->prepare("SELECT * FROM table WHERE id = :sid");
    $query->bindParam(':id', $id);
    $query->execute();

    $row = $query->fetch(PDO::FETCH_ASSOC);
    $login_session = $row['name'];
    if(!isset($login_session))
    {
        header("Location: index.php");
    }
?>

for logout.php I've tried a few:

<?php
    session_start();
    session_destroy();
    $home_url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . '/index.php';
    header('Location: ' . $home_url);
?>

<?php
    session_start();

    $_SESSION = array();

    if (ini_get("session.use_cookies")) {
        $params = session_get_cookie_params();
        setcookie(session_name(), '', time() - 42000,
            $params["path"], $params["domain"],
            $params["secure"], $params["httponly"]
        );
    }

    // Finally, destroy the session.
    session_destroy();
?>

<?php
    session_start();

    session_unset();
    header("Location: index.php"); // Redirecting To Home Page
?>

<?php
    session_start();

    if(session_destroy()) // Destroying All Sessions
    {
        unset($_SESSION['fld_staff_id']);
        header("Location: index.php"); // Redirecting To Home Page
    }
?>

So, i don't know, maybe im misunderstanding session?

3
Contributors
3
Replies
14
Views
8 Months
Discussion Span
Last Post by random_1
1

There are numerous issues with your code.

You need to check the request method. Depending on the name of a button being submitted in order for your script to work will completetly fail in certain cases.

Get rid of the try/catch blocks. Php is perfectly capable of handling errors.

Do not output internal sytem errors to the user. That info is only good to hackers.

I assume your use of id is equivelent to a username. In programming id is known in a much differnet sense. Best to change the name.

There is no need to count results. You can simply do if ($results)
You need to kill the script after redirects otherwise the script will keep running.

PHP_SELF is vulnerable to an XSS Attack

This is all you need to completely log out - logout.php

<?php
    session_start();
    session_unset(); //remove all the variables in the session
    session_destroy(); // destroy the session
   die(header("Location: ./login.php?logout"));

Edited by benanamen

0

we were taught to use try/catch blocks. i will get rid of them on all others and won't use them. as for the id, the actual name is different. ahh missing the die. thank you benanamen.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.