You are not logged in.
Hey,
I started learning php again and I have a little problem with the session handling. I have written this little script:
<?php session_start();
include "header.php";
if ( isset($_GET['page'])){
include $_GET['page'].".php";
}
if ($_POST['user'] == "Kirodema" && $_POST['pass'] == "password") {
$_SESSION['loggedin'] = 1;
$_SESSION['name'] = "Kirodema";
}
if ($_SESSION['loggedin'] == 1) {
echo "Welcome " . $_SESSION['name'];
echo "<br />";
echo "<a href=\"./index.php?page=logout\"> logout</a>";
} else {
?>
<form action="index.php" method="post">
Name: <input type="text" name="user" /> <br />
Password: <input type="password" name="pass" />
<input type="submit" />
</form>
<?php
}
include "footer.php";
?>
It starts by checking if there is a page to load, or not (for later use). Currently it is only used for the logout link and in logout.php is only a session_destroy(). After that, it checks if the user information is correct and sets some session variables. At the end it checks if the login was successfull and displays a logout link. If it wasnt successful, it shows a login form. My problem is, that I have to press the logout link twice before it logs me out and displays the form again. Where is my error?
Last edited by Kirodema (2011-07-18 19:01:52)
Offline
It does destroy the session, but it doesn't call the login form after that. So you need to either reload index.php from the logout page, or make the form an include which you call from there.
ᶘ ᵒᴥᵒᶅ
Offline
I dont quite understand it. If I am correct, session_destroy() destroys the session and clears all session variables. At least that is written at the bottom of http://www.w3schools.com/php/php_sessions.asp. And if $_SESSION['loggedin'] is not set, it should automatically show the login form? I mean, session_destroy() is the first thing done before any variable checking occurs (except for the page) so the session variables should be cleared before they are checked?
Offline
Apparently, the session is only reset on page load, so it doesn't work to clear it halfway a page and then compare it again.
edit: p.s., you can probably work around this by setting $_SESSION['loggedin'] = 0 just before the session_destroy.
Last edited by litemotiv (2011-07-18 13:52:22)
ᶘ ᵒᴥᵒᶅ
Offline
So that means that I need an extra page for logout, which states that I am logged out and then proceed to the previous page? Thanks.
Offline
So that means that I need an extra page for logout, which states that I am logged out and then proceed to the previous page? Thanks.
Well the session itself is destroyed, but the already set variables like $_SESSION['loggedin'] are still active, so you would need to reset those manually or reload the page.
ᶘ ᵒᴥᵒᶅ
Offline
$_SESSION = array();
session_destroy();
Last edited by moljac024 (2011-07-18 17:04:15)
The day Microsoft makes a product that doesn't suck, is the day they make a vacuum cleaner.
--------------------------------------------------------------------------------------------------------------
But if they tell you that I've lost my mind, maybe it's not gone just a little hard to find...
Offline
I'd just like to add that this bit from your code:
if ( isset($_GET['page'])){
include $_GET['page'].".php";
}
Is not a good idea. The user shouldn't have such direct control of what PHP files are loaded. With some (non-default) PHP options set that would successfully load remote URLs leading to very bad things. Even if that's not possible they can still make the script call itself in a big loop (PHP does have an inbuilt recursion limit), an easy way to max out the server's CPU.
Instead you should check that $_GET['page'] is a valid value; perhaps as follows:
$allowed_pages = array("home", "login", "logout");
if (in_array($_GET['page'], $allowed_pages)) {
include $_GET['page'].".php";
} else {
include "home.php";
}
Back on topic though; the function's documentation does say:
session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie
moljac024's solution will work.
Offline
Thank you for your information. It is really helpful
Offline