How can I log out of my website using PHP?

Question

I just spent a few hours setting up a login system to my site and I finally logged in but I can't log out.

I have tried using the session name and it still does not work./

<?php
session_start('$_SESSION['userId']');
session_unset('$_SESSION['userId']');
session_destroy('$_SESSION['userId']');
header("Location: ../../index.php?logout=success");
?>

-

These are the Login/Logout hyperlinks on my index.php header, when I was logged out the one that says login was showing, then I logged in and now it's stuck on log out./

<li class="nav-item">
     <?php
      if (isset($_SESSION['userId'])) {
      echo '<a class="nav-link" href="login/login.php">Log In</a>';
      } else {
      echo ' <a class="nav-link" href="login/logout.php">Log Out</a>';}
     ?>
</li>

This is the logout page that the hyperlink is referencing. /

<form action="includes/logout.php" method="post">
  <span>
   Are you sure you want to logout?
  </span>
  <div>
   <button>
    Log out
   </button>
  </div>
</form>

And this is the includes/logout.php, when it it executed it takes me from the logout page back to index.php, and it returns "index.php?logout=success" in the url but the header still says log out instead of login. /

<?php
session_start();
session_unset();
session_destroy();
header("Location: ../../index.php?logout=success");
?>

Basically everything is working except for the session actually stopping. Any help would be gratly appreciated.

EDIT: I just uploaded all the files to a test site and I opened the site in my browser, an incognito tab, and on my phone and they are all automatically showing the 'LOG IN' button, so I'm guessing that the issue is with this;

<li class="nav-item">
     <?php
      if (isset($_SESSION['userId'])) {
      echo '<a class="nav-link" href="login/login.php">Log In</a>';
      } else {
      echo ' <a class="nav-link" href="login/logout.php">Log Out</a>';}
     ?>
</li>

Answer 1

session_start('$_SESSION['userId']');

The first (and only) parameter of session_start must be an array, not a string.

session_unset('$_SESSION['userId']');

session_unset does not have any parameters.

session_destroy('$_SESSION['userId']');

Neither does session_destroy.

These do not do what you think they do, which is likely the root cause of your troubles.

Answer 2

In your login.php

<?php
    if(isset($_GET['logout']))
    {   
       unset($_SESSION['user_id']);
       //use this if you only want the user_id session to be unset.
    }
?>

Answer 3

following three line of code will work fine if you don't need any session variable after logout.Please check this out.

session_start();
session_destroy();
header("Location: ../../index.php?logout=success");

Answer 4

Keep in mind that $_SESSION is available after redirecting until refreshing the page. That means if you log out and get redirected, $_SESSION['userId'] is STILL available until you refresh the page one more time. That is why you still can see that. You are sending GET parameter - use it instead of $_SESSION['userId'] on your page:

if( isset($_GET['logout']) && $_GET['logout'] == 'success') {
    // display link to log in
} else {
    // display link to log out
}

In general these samples of code look a bit messy, I would not say you set the login functionality correctly.

Keep session_start() on the top of header or call it when you really need it, you need to start it only once in general.

Beside that, do not use form for log-out - use <a href="<logout path>"...>LOGOUT</a> it will be way better.