0

I have created a user authentication system with necessary DB tables and php.

THe first time before I login (Before any SESSION is created) the redirect on every page works perfect (ie Redirects to the login page if not logged in).

But once I login with a user and then logout the same doesnt work. I think it might be a problem with not ending the SESSION (Sorry if am wrong)

Here are some pieces of the code in each Page

Login PHP 

    <?php
session_start();
$message="";
if(count($_POST)>0) 
{
    include('config.php');
    echo $_POST['username'];
    $result = mysql_query("SELECT * FROM members WHERE username='" . $_POST["username"] . "' and password = '". $_POST["password"]."'");
    $row  = mysql_fetch_array($result);
    if(is_array($row)) 
    {
    $_SESSION["id"] = $row[ID];
    $_SESSION["username"] = $row[username];
    $_SESSION["password"] = $row[password];
    $_SESSION["mname"] = $row[mname];
    $_SESSION["fname"] = $row[fname];
    date_default_timezone_set("Asia/Calcutta");
    $lastlog=date("d/m/Y");
    $logtime=date("h:i a");
    $query = "UPDATE `members` SET `lastlogin`='$lastlog',`logintime`='$logtime' WHERE `ID`='$row[ID]'"; 
    mysql_query($query);
    $_SESSION['logged'] = TRUE; 
    } 
    else 
    {
        echo "<SCRIPT>
        alert('Wrong Username/Password or Awaiting Approval');
        </SCRIPT>";
        header("Location:login_failed.html");
    }
}
if(isset($_SESSION["id"])) {
header("Location:member/myprofile.php");
}
?>

PHP code on every page

<?php
session_start();
include('config.php');
if(!$_SESSION['logged'])
{
header("Location: ../login.html");
exit;
} ?>

And Finally Logout

    <?php
session_start();
unset($_SESSION["id"]);
unset($_SESSION["username"]);
unset($_SESSION["password"]);
unset($_SESSION["mname"]);
unset($_SESSION["fname"]);
header("Location:../login.html");
?>

Is there any problem with my Code. Am i missing something? I couldn't get it right. Pls Help

Thanks guys got it solved..

Now can you tell me How I can redirect login.php to user home page(myprofile.php) in case the User is logged in (Session exists) - Like facebook,gmail etc

Improve this question
1
  • session_destroy(); Commented Jun 25, 2014 at 5:02

4 Answers 4

Reset to default
2

Instead of calling unset() on each session var, you can simply use session_destroy(), which will destroy all of the current session data.

session_start();
session_destroy();
header("Location:../login.html");

For complete destructive power, you might also want to kill the session cookie:

setcookie(session_name(), '', 1);

See this question for a more complete example of session logout.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

thank you problem solved....:-) How can i redirect login.php to user home page(myprofile.php) in case the User is logged in (Session exists) - Like facebook,gmail etc
@user3765203 At the top of login.php, below session_start(), put if(isset($_SESSION['logged'])) header('Location: myprofile.php') or something to that effect.... better yet, on the code on every page, add, else header('Location: myprofile');
Ok Fine i will do that. Currently for login i am using login.html which then passes values via post to login.php.. So I should change it to a single page login.php for redirect.. Shouldn't I?
@user3765203 Ya probably
Sorry if this sounds stupid - But a guy told me i'm prone to SQL injection if i do the entire php coding in login page... He suggested to use this method.. Is that correct?
|
1

You need to unset $_SESSION['logged']

Also you should reference keys in the $row variable with strings. Eg $row['username'];.

Turning on E_NOTICE level warnings with error_reporting will help you with this.

Improve this answer

Comments

0

If you haven't already, reset the session login

unset($_SESSION['logged']);

Or just change it to false 

$_SESSION['logged'] = false;
Improve this answer

Comments

0

When you are directly hitting a page in address bar for the first time then its a new request which goes to the server and server checks for existing session as written in your code. But its not same when you are pressing back button after logout. In this case there is no request is going to the server instead the request is fetched from browser cache. If you want to disable this situation then you have to tell browser explicitly to not to store your page in cache memory. For more detail please go through this link

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.