Reputation: 137
Simple Logout Script
I'm using the code below to log users in. When the new session is created they are redirected to a new page - content.php. I wonder what's the best way/the proper way to destroy the session and log out the users, redirectiong them back to the index.php.
<?php
if (isset($_REQUEST['signin'])){
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM `user` WHERE username='$username' and password='$password'";
$result = mysql_query($query) or die(mysql_error());
$count = mysql_num_rows($result);
if ($count == 1){
$_SESSION['username'] = $username;
header('Location: content.php');
}
else{
echo "Invalid Login Credentials.";
}
}
if (isset($_SESSION['username'])){
$username = $_SESSION['username'];
header('Location: content.php');
}
?>
<form method="post" name="login">
<?php
if (isset($msg) & !empty($msg)) {
echo $msg;
}
?>
<label for="username">Username:</label><br>
<input type="text" name="username"><br>
<label for="password">Password:</label><br>
<input type="password" name="password"><br>
<button type="submit" name="signin">Sign in</button>
</form>
I know that there are flaws in this script (e.g. not encrypted password), but for now I'm looking for a simple script to log out.
Upvotes: 1
Views: 17296
Answers (5)
Reputation: 1
<?php
if (!isset($_SESSION)) { session_start(); }
$_SESSION = array();
session_destroy();
header("Location: login"); //login.php if you havent setup your htaccess to use without.php
exit();
?>
Upvotes: 0
Reputation: 3486
First of all, please check your query variables before you query, otherwise you run the risk of SQL injection.
Next, when you set up a session, you must call session_start(); at the top of your script to utilize the session.
Finally, to log the user out, you simply call session_destroy(); and the existing session is destroyed.
I have rewritten your code a little
<?php
session_start();
if (isset($_REQUEST['signin'])){
$username = $_POST['username'];
$password = $_POST['password'];
$sql_connection = new mysqli("dbHost", "dbUsername", "dbPassword", "dbName");
if($sql_connection->connect_errno){
die("db error");
}
$username = $sql_connection->real_escape_string($username);
$password = $sql_connection->real_escape_string($password);
$query = "SELECT * FROM `user` WHERE username='$username' and password='$password' LIMIT 1;";
$result = $sql_connection->query($query) or die("db error");
$count = $result->num_rows;
if ($count == 1){
$_SESSION['username'] = $username;
header('Location: content.php');
die();
}else{
echo "Invalid Login Credentials.";
}
}elseif(isset($_SESSION['username'])){
$username = $_SESSION['username'];
header('Location: content.php');
die();
}
?>
<form method="post" name="login">
<?php
if (isset($msg) & !empty($msg)) {
echo $msg;
}
?>
<label for="username">Username:</label><br>
<input type="text" name="username"><br>
<label for="password">Password:</label><br>
<input type="password" name="password"><br>
<button type="submit" name="signin">Sign in</button>
</form>
This uses MySQLi instead of MySQL due to the impending removal. It also escapes the input and sets up the session.
Upvotes: 0
Reputation: 5406
session_start();
$_SESSION = array();
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_destroy();
header("Location: index.php"); exit;
Upvotes: 1
Reputation: 2597
The best and most simple way to logout a user is to destroy the whole session or unset the necessary session keys.
session_destroy();
// or...
unset($_SESSION['username'];
header('Location: index.php');
I prefer the unset because you might want to store more data in the session array.
Upvotes: 1
Reputation: 5890
First things first you need to sanitize your inputs so
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
Now, as for clearing a session. Your logout script should useunset
unset($_SESSION['username']);
unset($_SESSION['password']);
Upvotes: 1