php login script - sessions problem [Archive]

View Full Version : php login script - sessions problem

sinus_

April 5th, 2005, 10:22 AM

hello,

i made a login script. the problem is that when i click Logout (see code below - logout.php) then press Back button on the browser, i can still see the restricted page...

here are the codes:

//_checklogin.php

<?php
session_start();
//_checklogin.php

include "_functions.inc.php";

$_SESSION['userok'] = checkuser($_SESSION['username'], $_SESSION['password']);

if (!$_SESSION['userok'])
{
$_SESSION['username'] = $_POST['username'];
$_SESSION['password'] = $_POST['password'];
$_SESSION['userok'] = checkuser($_POST['username'],$_POST['password']);

$_SESSION['user_status'] = $_SESSION['userok'][3];
$_SESSION['fname'] = $_SESSION['userok'][1];
$_SESSION['lname'] = $_SESSION['userok'][2];
//$_SESSION['login'] = "ok";

if(!$_SESSION['userok'])
{
//echo "please login";
header('Location: loginForm.php');
}
}

/*
* checkuser()
* returns an array if username is found with correct password
$query_data[] => username, fname, lname, status
*/
function checkuser($username,$password)
{
global $database, $user_table;
$link_id = db_connect($database);
$query = "SELECT username, fname, lname, status FROM $user_table WHERE username = '$username' AND password = '$password'";
$result = mysql_query($query);
if (!($result)) {
sqlError();
}
else {
$query_data = mysql_fetch_row($result);
return $query_data;
}
}

?>

_logout.php

<?php
session_start();
// Unset all of the session variables.
$_SESSION = array();
// Finally, destroy the session.
session_destroy();
header('Location: index.php');
?>

any help would be appreciated.. .:) thanks guys

mpelland

April 5th, 2005, 10:29 AM

not sure, maybe try to unregister the username and password session variables

session_unregister('username');
session_unregister('password');

sinus_

April 5th, 2005, 10:52 AM

here is an updated code:
http://pastebin.com/267422

thanks guys...

i will try to use session_unregister('sfad');

Cybernoid

April 5th, 2005, 04:19 PM

Here's what I use:

session_name("AnySession");
session_start();
$sid = session_id();
setcookie("AnySession", "$sid", time()-3600 ); //Only if you've used cookies
session_unregister("someVariable");
session_destroy();

And then redirect to the next page.

johnlouis

April 7th, 2005, 04:21 AM

hi. i think my problem is with my algorithm. i think my logout codes are correct but the problem is, when i click BACK BUTTON the vars $_POST['username'] and $_POST['password'] are used to confirm the login again...

here is the entire code for it:

<?php
session_start();
//_checklogin.php

include "_functions.inc.php";

echo $_POST['username'];

//check if session vars are correct if not then clear them
if (checkuser($_SESSION['username'],$_SESSION['password']) == 0) {
unset($_SESSION['username']);
unset($_SESSION['password']);
echo "session vars: username and password are unsetted because checkuser() returned false/0<br>\n";

//session vars are not ok so check for post vars
if (checkuser($_POST['username'],$_POST['password'])) {
$_SESSION['username'] = $_POST['username'];
$_SESSION['password'] = $_POST['password'];
echo "session vars are now set because posted vars are correct<br>\n";
}
}

if (!$_SESSION['username']) {
echo "<b>please login</b>";
exit;
}

function checkuser($username,$password)
{
global $database, $user_table;

$link_id = db_connect($database);
$query = "SELECT username FROM $user_table WHERE username = '$username' AND password = '$password'";
$result = mysql_query($query);
if (!($result)) {
sqlError();
}
else if ($result) {
$query_data = mysql_fetch_row($result);
return $query_data[0];
}
else {
return 0;
}
}
?>

i will be doing something like this on restricted pages:

<?php
include "_checklogin.php";
echo "username = " . $_SESSION['username'];
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>RESTRICTED PAGE</title>
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="-1">
</head>

<body>
RESTRICTED PAGE
</body>
</head>

sinus_

April 7th, 2005, 04:27 AM

oh i used my brothers account. that was supposed to be me posting...

sinus_

April 7th, 2005, 10:49 PM

ok i feel stupid. the whole logic was wrong.
i have got it working now though.

1) Make a function that verifies if the user entered the correct username/password combination

2) If the user entered the correct user/pass combination, then register the session variables

3) Make a function the check the session vars - checklogin();

4) Put checklogin(); on top of every private page.

what i did in my previous code was to combine the 2 things i did on this post. which was plainly stupid...