need help with session

[chokies12]

hi guys i need help with my session. im currently applying session in my page security im a newbie.my problem is when i logout and try to access my index page to test if my script work and will redirect me to the login page.but what happen is i can see my index page and my session still has its value.

 

my code for index.php

<?php

include('include/function.php');
session_start();

if($_SESSION['userName'] == '') {

header('location: login.php');

}

echo $_SESSION['userName'];

?>
<html>
<head>
<title>Home</title>
</head>
<body bgcolor="cyan">
<center></br></br>
Home View <a href="login.php">Logout</a>

</form>
</center>
</body>
</html>

 

logout.php

 

<?php
session_start();



unset($_SESSION['userName']);
$_SESSION = array();

session_destroy():

header('location: index.php');


?>

 

any input will be much appreciated

[JonnoTheDev]

All you need on logout is

<?php
session_start();
unset($_SESSION['userName']);
header('location: index.php');
exit();
?>

 

And your index

<?php
session_start();
if(!strlen($_SESSION['userName']))) {
header('location: login.php');
exit();
}
?>

[chokies12]

why remove session_destroy?

[JonnoTheDev]

why remove session_destroy

Why use it? It doesn't remove any of the associated session data or clear a user cookie if used. Never needed this function!

 

php.net: But if you are intent upon using session_destroy(), know that it only empties out the variables when the page is reloaded or redirected to some other page. As long as it's the same page, the variables are still usable after invoking session_destroy().

 

If your session still has a value after unset() you are resetting it somewhere.

[chokies12]

@neil.johnson

 

i can still access my index.php and doesnt redirect me to login.php after i have already logout. still it echo's a value for my $_SESSION['userName']

[chokies12]

help please

[Stryves]

I'd do it like this

 

<?php

include('include/function.php');

session_start();
if(isset($_SESSION['userName']))
{
   echo $_SESSION['userName'];
}
else
{
   echo "<META HTTP-EQUIV = 'Refresh' Content = '0; URL =login.php'>";
}
?>
<html>
<head>
<title>Home</title>
</head>
<body bgcolor="cyan">
<center></br></br>
Home View <a href="login.php">Logout</a>

</form>
</center>
</body>
</html>

 

And for the logout:

 

<?php
session_start();
unset($_SESSION['userName']);
echo "<META HTTP-EQUIV = 'Refresh' Content = '0; URL =login.php'>";

?>

 

I changed the redirect to login, because the index should redirect them to login now anyways.

[mattal999]

I'm not sure if this is a good idea:

 

echo "<META HTTP-EQUIV = 'Refresh' Content = '0; URL =login.php'>";

 

You can view the source of the page before it redirects using file_get_contents, so someone that wasn't logged in could technically still use the members area.

 

Use this:

 

header("Location:login.php");

[JonnoTheDev]

echo "<META HTTP-EQUIV = 'Refresh' Content = '0; URL =login.php'>";

bad code. why would you echo prior to any html output? use headers to redirect to indicate a valid HTTP status. never echo prior to headers being sent.

 

chokies12 if your session data remains after unset then you must be resetting its value somewhere. try this sample script on a test page

 

<?php
session_start();
$_SESSION['name'] = "Joe";
print "session set - value: ".$_SESSION['name']."<br />";
unset($_SESSION['name']);
print "session unset - value: ".$_SESSION['name']; 
?>

The second printed line should contain no value for $_SESSION['name']

[chokies12]

what i did was just put a session_destroy(); in top of my login page. i think my logout page has problems doesnt unset the value even if i put unser() ..

i did is when you press logout redirect the script to login page and will trigger the destroy part so it will not unset any value from my session variable.