14

I'm currently working on a site that has a log-in (username and password) - The password protection is done by the operating system within the web server at folder level called a Realm within the OS. For now this will have to do, until we figure out a proper PHP log in system.

The code below, is based on a previous question on the stack overflow.

I'm using 3 files (See code snippets at the bottom).

The process is: - Click Log In button on index.php - Enter username and password to access authenticate index file. - Click log out button, which references the logout.php file - it SHOULD clear the cache and return the user to the top level index.

It doesn't 'destroy the session' in the sense that you're not asked to re-enter the password when prompted to, which is essentially what I want to happen.

My minimal knowledge of php leaves me a little bit stumped here.

index.php (top level file with log in button)

<?php session_start(); ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Test</title>
</head>
<body>
<a href="authenticate/index.php">Log In Btn</a>
</body>
</html>

authenticate/index.php (This folder is password protected - contains the index file with the log out button which links to the logout.php file) 

<?php session_start(); ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Log out</title>
</head>
<body>
<a href="logout.php">Log Out Btn</a>
</body>
</html>

authenticate/logout.php

<?php   
session_start(); //to ensure you are using same session
session_destroy(); //destroy the session
header("location:/index.php"); //to redirect back to "index.php" after logging out
exit();
?>
Community
  • 1
  • 1
fitzilla
  • 141
  • 1
  • 1
  • 4
  • 3
    If the folder is password protected, then PHP is not doing the authentication. Apache (or the web server) is. – Ayush Jan 25 '12 at 11:12

4 Answers4

31

The folder being password protected has nothing to do with PHP!

The method being used is called "Basic Authentication". There are no cross-browser ways to "logout" from it, except to ask the user to close and then open their browser...

Here's how you you could do it in PHP instead (fully remove your Apache basic auth in .htaccess or wherever it is first):

login.php:

<?php
session_start();
//change 'valid_username' and 'valid_password' to your desired "correct" username and password
if (! empty($_POST) && $_POST['user'] === 'valid_username' && $_POST['pass'] === 'valid_password')
{
    $_SESSION['logged_in'] = true;
    header('Location: /index.php');
}
else
{
    ?>

    <form method="POST">
    Username: <input name="user" type="text"><br>
    Password: <input name="pass" type="text"><br><br>
    <input type="submit" value="submit">
    </form>

    <?php
}

index.php

<?php
session_start();
if (! empty($_SESSION['logged_in']))
{
    ?>

    <p>here is my super-secret content</p>
    <a href='logout.php'>Click here to log out</a>

    <?php
}
else
{
    echo 'You are not logged in. <a href="login.php">Click here</a> to log in.';
}

logout.php:

<?php
session_start();
session_destroy();
echo 'You have been logged out. <a href="/">Go back</a>';

Obviously this is a very basic implementation. You'd expect the usernames and passwords to be in a database, not as a hardcoded comparison. I'm just trying to give you an idea of how to do the session thing.

Hope this helps you understand what's going on.

  • Awesome! Much better than the HTTP authentication method, of which the logging-out code is much more complicated. If you would add the PHP closing tags in all three codeblocks, I will up you answer. Oops, I already did! :-) – Frank Conijn - Support Ukraine Jul 20 '14 at 22:29
  • 1
    @FrankConijn Please see http://php.net/manual/en/language.basic-syntax.phptags.php: "If a file is pure PHP code, it is preferable to omit the PHP closing tag at the end of the file. This prevents accidental whitespace or new lines being added after the PHP closing tag, which may cause unwanted effects because PHP will start output buffering when there is no intention from the programmer to send any output at that point in the script." –  Jan 21 '15 at 07:21
  • I think that the logout should be implemented using post method, not get. – chespinoza Mar 11 '16 at 01:03
7

First give the link of logout.php page in that logout button.In that page make the code which is given below:

Here is the code:

<?php
 session_start();
 session_destroy();
?>

When the session has started, the session for the last/current user has been started, so don't need to declare the username. It will be deleted automatically by the session_destroy method.

Janen R
  • 729
  • 10
  • 21
5
if(isset($_GET['logout'])) {
    session_destroy();
    unset($_SESSION['username']);
    header('location:login.php');
}

The if block of the Global array $_GET check if the logout var is set in the url

Then, the session destroy function is called And then, the global session array value username is removed/deleted the header function will redirect you back to login page

tchap
  • 3,412
  • 3
  • 29
  • 46
Iulia
  • 51
  • 1
  • 4
  • Thank you for this code snippet, which might provide some limited short-term help. A proper explanation [would greatly improve](//meta.stackexchange.com/q/114762) its long-term value by showing *why* this is a good solution to the problem, and would make it more useful to future readers with other, similar questions. Please [edit] your answer to add some explanation, including the assumptions you've made. – Toby Speight Feb 19 '18 at 13:24
0
if(isset($_POST['logoutButtonName'])) {
    session_destroy();
    unset($_SESSION['nameOfSessionToBeDestroyed']);
    header('location:login.php');
}

Header should then redirect you to your desired page

Ricardo Martins
  • 5,702
  • 3
  • 40
  • 59
OBrien Evance
  • 704
  • 5
  • 18