4

sorry for a repetitive question, I've seen a few of these on this forum but none of the responses worked for me...

I am building a basic login using php sessions, which I'm new at...

login.php validates html login form and begins a session, setting variables: $_SESSION['login'] and $_SESSION['id],

then each page that requires a valid login uses require 'session.php'; which checks the $_SESSION['valid'] variable and redirects a user w/o proper login variable. The problem is when I logout neither session variable I've set will unset.

Right now my logout.php file uses about every method to destroy the variables that I've been able to find online and none will actually do it.

So whenever I log out, I can still access the 'private' pages.

Also note: I have tried it w/o a session name ex: session_start(); that didn't work so now I'm using session_start("user");

Also note: I am NOT using cookies.

Here are the files I mentioned:

login.php

$email=$_POST['email-log']; $pass=$_POST['password-log'];

$i=-1;

do
{$i++; $path="users/".$i.".json";
$file=  file_get_contents($path);
$x=json_decode($file,true);
} while($x['email']!=$email);
$id=$i;
$truepass=$x['pass'];

$errors=0;
$hash=hash('sha256',$pass);
if($hash != $truepass){$errors=$errors+1;}

if($errors==0){
        session_start("user");
        $_SESSION['login']="valid";
        $_SESSION['id']=$id;

    header('Location: loginlanding.php');}

else{header('Location: front.php?error=y');}

session.php

session_start("user"); if($_SESSION['login'] !== "valid") {header('Location: front.php?needto=login');}

logout.php

unset($_SESSION); unset($_SESSION['login']); unset($_SESSION['id']); session_unset("user"); $_SESSION=array(); session_destroy("user"); header('Location: front.php?logged=out');

Any and all responses are welcome and I thank you in advance, also note, I am new to logins in general so any advice to beef up security is welcome also. I'm planning on making it more secure, but first I need to get this basic functionality up and running.

Mike Mackintosh
  • 13,917
  • 6
  • 60
  • 87
B Rad C
  • 510
  • 2
  • 6
  • 18
  • 1
    It seems obvious but just to be clear, when someone logs out, you force them to go to the logout.php page? – Aust Sep 06 '12 at 01:39
  • Is there a sane reason for anyone to be writing this kind of code themselves in 2012? – hobbs Sep 06 '12 at 01:39

3 Answers3

19

You should never unset($_SESSION).

The easiest way to clear the $_SESSION variable is $_SESSION = Array();

However, you can also iterate with unset: 

foreach(array_keys($_SESSION) as $k) unset($_SESSION[$k]);
crashwap
  • 2,846
  • 3
  • 28
  • 62
Niet the Dark Absol
  • 320,036
  • 81
  • 464
  • 592
  • 2
    ah ha! the problem was that on logout.php I never called session_start(); I didn't require session.php in that one so it never got called. Now my logout.php is as follows: – B Rad C Sep 06 '12 at 03:07
  • 6
    Why are you adding `session_destroy("user");`? It doesn't do anything. Just do `session_destroy();` – jeremy Sep 06 '12 at 11:36
13

It's amazing how many things you're attempting to do after you've unset the only reference you had to the session in the first place. Directly from the manual:

Caution

Do NOT unset the whole $_SESSION with unset($_SESSION) as this will disable the registering of session variables through the $_SESSION superglobal.

http://php.net/manual/en/function.session-unset.php

You're unsetting $_SESSION so your unsets to the other arrays of the super global $_SESSION aren't registering, leaving them still in the browsers temporary cookies. Use session_unset() instead if you're trying to remove all session variables. Otherwise, don't unset the session global, but unset each individual value of it you want to remove.

Community
  • 1
  • 1
jeremy
  • 9,965
  • 4
  • 39
  • 59
1

My working example (notice that you must put start on the call)

<?php
    session_start();
    session_unset();
    session_destroy();
    header('location: ./');
?>
MCunha98
  • 81
  • 3
  • 12