2

My problem may seem pretty elementary, but I dont know whats wrong with my code. I have a very simple login system that looks like this:

login.php:

<?php  
session_start();

if ($_SESSION['loggedin'] = 1) {
   header("Location: admin.php");
}

if ($_GET['login']) {
     // Only load the code below if the GET
     // variable 'login' is set. You will
     // set this when you submit the form

     if ($_POST['username'] == 'thenemis'
         && $_POST['password'] == 'slustice') {
         // Load code below if both username
         // and password submitted are correct

         $_SESSION['loggedin'] = 1;
          // Set session variable

         header("Location: admin.php");
         exit;
         // Redirect to a protected page

     } else echo "Wrong details";
     // Otherwise, echo the error message
}
?>

<form action="?login=1" method="post" accept-charset="utf-8">  
                <fieldset>
                  <label for="username">Usermame:</label>
                  <input type="text" name="username" placeholder="username" required>
                  <label for="password">Password:</label>
                  <input type="password" name="password" placeholder="password" required>
                  <input type="submit" value="Login"> </td>
                </fieldset>
</form>

This works fine.

admin.php:

<?php

    session_start();
    // Call this function so your page
    // can access session variables

    if ($_SESSION['loggedin'] != 1) {
        // If the 'loggedin' session variable
        // is not equal to 1, then you must
        // not let the user see the page.
        // So, we'll redirect them to the
        // login page (login.php).

        header("Location: login.php");
        exit;
    }

?>

<p><a href="logout.php">Log out</a></p>

Now my problem is, that the system keeps me logged even though i clicked the logout URL, which looks like this:

logout.php:

<?php
    session_start();
    session_destroy();
    header("Location: login.php");
?>

There is obviously some elementary mistake with my logout procedure, but I cant seem to find it... Thanks for any help in advance!

Improve this question

6 Answers 6

Reset to default
2

You are making assignment here:

if ($_SESSION['loggedin'] = 1) {
    header("Location: admin.php");
}

and you should make comparisment

if ($_SESSION['loggedin'] == 1) {
    header("Location: admin.php");
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Try this

<?php
    session_destroy();
    header('Location: index.php');
    exit();
?>
Improve this answer

Comments

0

change your admin.php file

<?php
    session_start();

    if (!isset($_SESSION['loggedin'])) {
        header("Location: login.php");
        exit;
    }

?>

<p><a href="logout.php">Log out</a></p>
Improve this answer

Comments

0

In login.php you didn't started session_start after user details verified...

try to add session_start(); before $_SESSION['loggedin'] = 1;

This may work for you...

in logout.php

before estroying unset the session variable using this line

unset($_SESSION['loggedin']);

Improve this answer

Comments

0

From the php.net Manual:

In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.

Use this code (copied from php.net) to logout securely:

<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();

// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}

// Finally, destroy the session.
session_destroy();
?>
Improve this answer

Comments

0

Just try with the following changes :

In login.php :

if ($_SESSION['loggedin'] == 1) {
   header("Location: admin.php");
}

In logout.php :

<?php
    session_start();
    ob_start();
    session_destroy();
    $_SESSION['loggedin']=""; //Just empty that session variable
    header("Location: login.php");
?>

I think this may help you to resolve your problem.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.