1

I'm trying to create a PHP logout script, however, as soon as I implement it, the page just gets redirected to the page after login. Here is the code:

Connect.php

<?php 
    session_start();
    $link = mysql_connect("localhost", "database_name", "database_pass") or die(mysql_error());
    mysql_select_db("database_name") or die(mysql_error());

    if(isset($_COOKIE['username'])) 
             $_SESSION['username'] = $_COOKIE['username'];
 ?>

Logout.php

<?php
    include("connect.php");
    session_start();
    session_destroy();
    $username = $_SESSION['username'];
setcookie($username, time()-3600);  
    header("Location: index.php");
    die;    
?> //immediately after here, instead of going to index.php(the login page), it goes straight to the page that would appear after if the user had logged in(control_panel.php).

Any ideas? Thanks!

Improve this question
11
  • sets his cookie username to root Commented Jul 23, 2012 at 6:01
  • You're better off finding a tutorial online of how to create an auth script. As noted above by @Petah, your method is insecure. Commented Jul 23, 2012 at 6:03
  • is "the page that would appear after if the user had logged in" also index.php? If yes, you have to disable browser caching Commented Jul 23, 2012 at 6:03
  • @Petah, what do you mean by "sets his cookie username to root"? Commented Jul 23, 2012 at 6:04
  • @user1340238, the cookies are stored and sent by the client. If you read the username from the cookie, then the client can send you any username he wants. Commented Jul 23, 2012 at 6:09

2 Answers 2

Reset to default
2

Have a look at this page: http://blog.ircmaxell.com/2011/08/security-review-creating-secure-php.html

It goes through "Creating a Secure PHP Login Script" completely. Your current solution has many security issues.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Your code is wrong I guess, the problem lies here..

In your logout.php you are expiring a cookie after you are unsetting your session, your cookie is not getting expired.

And in connect.php you are using this condition to set a session again and it sets because cookie is still in the user's browser

if(isset($_COOKIE['username'])) 
            $_SESSION['username'] = $_COOKIE['username'];

So Instead of doing this :

setcookie($username, time()-3600);

Do this :

 setcookie($username, "", time()-3600);
Improve this answer

2 Comments

he's actually removing the cookie, since he's setting a time in past time() - 3600.
@AzizAG may be his cookie is lying in the browser or may be he must be setting a cookie on index.php

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.