PHP SESSION Logout Error

Question

Many people may use a PHP mySQL function for login sections for a website

I am trying to use this code;

ON EACH CONTENT PAGE - TO CHECK IF LOGGED IN (in the header of every content page)

<?php
session_start();
if(! isset($_SESSION["myusername"]) ){
header("location:main_login.php");
}
?>
<html>
<body>
Page Content Here
</body>
</html>

THE LOGIN SCRIPT (which is referred to by my main_login.php page)

<?php

ob_start();
$host="ClubEvents.db.9606426.hostedresource.com"; // Host name 
$username="ClubEventsRead"; // Mysql username 
$password="Pa55word!"; // Mysql password 
$db_name="ClubEvents"; // Database name 
$tbl_name="members"; // Table name 

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){

// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword"); 
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
ob_end_flush();
?>

THE LOGOUT CODE

<?
session_start();
session_destroy();

header("location:main_login.php");
exit();
?> 

MAIN_LOGIN.php

<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form name="form1" method="post" action="checklogin.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td colspan="3"><strong>Member Login </strong></td>
</tr>
<tr>
<td width="78">Username</td>
<td width="6">:</td>
<td width="294"><input name="myusername" type="text" id="myusername"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="mypassword" type="text" id="mypassword"></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td><input type="submit" name="Submit" value="Login"></td>
</tr>
</table>
</td>
</form>
</tr>
</table>
<?php
phpinfo()
?>

but something isnt working, the page login_success.php should only be accessable when logged in, so either the logout isnt working, or, the login_success.php check isnt working. But I don't know how to tell, I have tried playing around with them both, and still no further forward

Regards

Henry

Answer 1

Your logout code should look like this:

<?php
session_start();
$_SESSION = array();
if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
        setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}
session_destroy();
header("Location: main_login.php"); exit;
?>

Case sensitive

Answer 2

I have never had a problem with the following:

unset($_SESSION[$myusername]);

The advantage here is that you are only clearing the log in session and can freely store other information in the session if needed because session_destroy() will clear ALL session data.

EDIT: Looking at your code as well, it's always sending the user to the login page if the username session is set.

Change:

<?php
session_start();
if( isset($_SESSION[$myusername]) ){
header("location:main_login.php");
}
?>

to (notice the ! before isset). You only want to redirect to the login page when the session isn't set.

<?php
session_start();
if(! isset($_SESSION[$myusername]) ){
header("location:main_login.php");
}
?>

Summary of comments:

Session[$myusername] changed to Session['myusername'] and the isset check was changed to !isset. This identified the session wasn't being set in the first place.

Answer 3

• session_register() is deprecated. Use of $_SESSION is preferred, as of PHP 4.1.0

  $_SESSION["myusername"] = $myusername;

• Try session_destroy() instead of session_unset().

• Your IF statement is also wrong :

  Change isset($_SESSION[$myusername] to isset($_SESSION["myusername"]

This is how I manage log ins :

<?php session_start();

    require_once('../header.php');

    $sql = "SELECT ID, username, FROM users WHERE username='$_POST[username]' AND password='$_POST[password]'";
    $result = query($sql);

    //If nothing is returned from the DB then the credentials are wrong.
    if (!$row = mysql_fetch_array($result)) {
        header( 'Location: ../index.php' );
        die();
    }
    else {
        $user= $row;
    }

    //All user values ( id_user, username, password, firstname, lastname, avatar ) are saved in $_SESSION for later use.
    $_SESSION['ID'] = $user['ID'];                  
    $_SESSION['username'] = $user['username'];
    //This variable is used later to verify if a used is still logged in and proceed with loading a profile.
    $_SESSION['isLoggedIn'] = 1;

    header( 'Location: ../index.php' );
?>

This is how I manage log outs :

<?php session_start();

    require_once('../header.php');

    //Session data is destroyed so as to prevent the user from accessing any profiles after disconnection.
    session_destroy(); 
    mysql_close($connection);

    header( 'Location: ../index.php' );
?>

This is how I manage page content depending on whether a user is logged in or not.

<?php session_start();

    echo "Page Content";

    if (@$_SESSION['isLoggedIn'] != 1) {
        showLogin();
    }
    else {
        showHome();
    }
?>

Answer 4

try session_destroy(); must help..

manual: http://php.net/manual/en/function.session-destroy.php