Jump to content

Help with Log-Out Script

doubledee

By doubledee
in PHP Coding Help

 Share

Recommended Posts

doubledee Advanced Member

doubledee

Posted
Posted

Below is a Log-Out Script that I wrote...

 

<?php
// Initialize a session.
session_start();

// Access Constants
require_once('../config/config.inc.php');

// Log Out User.
$_SESSION['loggedIn'] = FALSE;

// Redirect User.
if (isset($_SESSION['returnToPage'])){
	header("Location: " . BASE_URL . $_SESSION['returnToPage']);
}else{
	// Take user to Home Page.
	header("Location: " . BASE_URL . "index.php");
}

// Destroy Session.
session_destroy();

// Erase Session Cookie Contents.
setcookie (session_id(), "", time() - 3600);

// End script.
exit();
?>

 

 

Questions:

1.) How does my code look?

 

2.) Does it provide a secure log out?

 

3.) I don't think the cookie part is working, because after I click "Log Out" on a web page, I looked at the Cookie in FireFox's Web Developer Toolbar, and there is still a value for the PHPSESSID?!

 

Thanks,

 

 

Debbie

 

Link to comment
https://forums.phpfreaks.com/topic/253826-help-with-log-out-script/
Share on other sites
PaulRyan Member

PaulRyan

Posted
Posted

1. Your code looks...codey.

 

2. I use similar to what you have written and it seems pretty secure to me.

 

3. In regards to your 3rd point, you are editing a cookie with the name of the session id, which doesn't actually exist.

 

What does exist however is PHPSESSID, and you need to delete its content, or better still remove it totally.

 

The following should do that:

unset($_COOKIE['PHPSESSID']);

 

Once the above is run, the PHPSESSID cookie will no longer exist, until a new session is started.

 

Regards, PaulRyan.

doubledee Advanced Member

doubledee

Posted
  • Author
Posted

1. Your code looks...codey.

 

What's that mean?!

 

 

2. I use similar to what you have written and it seems pretty secure to me.

 

3. In regards to your 3rd point, you are editing a cookie with the name of the session id, which doesn't actually exist.

 

What does exist however is PHPSESSID, and you need to delete its content, or better still remove it totally.

 

The following should do that:

unset($_COOKIE['PHPSESSID']);

 

Once the above is run, the PHPSESSID cookie will no longer exist, until a new session is started.

 

Regards, PaulRyan.

 

I'm not sure if your code is working.

 

I added this to my header, but it is horribly formatted and I can't tell what is what?!

echo '<p class="test">print_r(\$_SESSION) = ' . print_r($_SESSION) . '</p>';
echo '<p class="test">print_r(\$_COOKIE) = ' . print_r($_COOKIE) . '</p>';

 

When I first run my script, this is what I see...  (formatted as it appears)

print_r(\$_SESSION) = 1print_r(\$_COOKIE) = 1Array ( )Array ( )

 

At this point there should be a Session but I'm not sure if there is a Cookie.

 

When I click "Log In" I see this scrambled up on different lines that I can't recreate here...

print_r(\$_SESSION) = 1

Array ( )Array ( [phpSESSID] =>

0693cf38eaeeb53fbe91bdd0cf67437d )

print_r(\$_COOKIE) = 1

 

After I log in I see this again scrambled up and hard to show here...

print_r(\$_SESSION) = 1

Array ( [memberID] => 24 [memberFirstName] => Debbie [loggedIn] => 1 ) Array ( [phpSESSID]

print_r(\$_COOKIE) = 1 => 0693cf38eaeeb53fbe91bdd0cf67437d )

 

When I click "Log Out" I see this scrambled up...

print_r(\$_SESSION) = 1

Array ( ) Array ( [phpSESSID] =>

print_r(\$_COOKIE) = 1

0693cf38eaeeb53fbe91bdd0cf67437d )

 

If I could just get my print_r() to format properly that might be ha;f the battle?!

 

 

Debbie

 

 

 

doubledee Advanced Member

doubledee

Posted
  • Author
Posted

When I go into the Web Developer Toolbar in FireFox and open the Cookie Window, it shows me this...

http://local.debbie/index.php

1 cookie

Name PHPSESSID

Value 0693cf38eaeeb53fbe91bdd0cf67437d

Host local.debbie

Path /

Secure No

Expires At End Of Session

 

That says to me there is still a Cookie with my PHP Session ID lingering on my computer (which is a security risk to me)...

 

 

Debbie

 

bkribbs Newbie

bkribbs

Posted
Posted

1. Your code looks...codey.

 

2. I use similar to what you have written and it seems pretty secure to me.

 

3. In regards to your 3rd point, you are editing a cookie with the name of the session id, which doesn't actually exist.

 

What does exist however is PHPSESSID, and you need to delete its content, or better still remove it totally.

 

The following should do that:

unset($_COOKIE['PHPSESSID']);

 

Once the above is run, the PHPSESSID cookie will no longer exist, until a new session is started.

 

Regards, PaulRyan.

 

In my research, the way to undo a cookie was to run something like:

 

if(isset($_COOKIE['cookname']) && isset($_COOKIE['cookpass'])){
   setcookie("cookname", "", time()-60*60*24*100);
   setcookie("cookpass", "", time()-60*60*24*100);
}

 

Where you take the original cookie, and simply negate the time. Are either methods correct?

kicken Prolific Member

kicken

Posted
Posted

That says to me there is still a Cookie with my PHP Session ID lingering on my computer (which is a security risk to me)...

 

So long as you remove the login flags/other details from your session (so your app considers them logged out), having the cookie stick around is not an issue.

 

My logout consists of:

 

session_destroy();
session_regenerate_id(true);

 

which removes the session data, deletes the session file, and assigns a new ID.

 

If you want to unset the cookie, you need to use setcookie() to delete it.  The name of the cookie is the session name (default PHPSESSID) which is returned by the session_name() function.

 

doubledee Advanced Member

doubledee

Posted
  • Author
Posted

That says to me there is still a Cookie with my PHP Session ID lingering on my computer (which is a security risk to me)...

 

So long as you remove the login flags/other details from your session (so your app considers them logged out), having the cookie stick around is not an issue.

 

Any idea how to better format print_r() in my home page so I can better see what is going on?

 

This is what I have...

	echo '<p class="test">print_r(\$_SESSION) = ' . print_r($_SESSION) . '</p>';
	echo '<p class="test">print_r(\$_COOKIE) = ' . print_r($_COOKIE) . '</p>';

 

and...

p.test{
display: block;
}

 

 

If you want to unset the cookie, you need to use setcookie() to delete it.  The name of the cookie is the session name (default PHPSESSID) which is returned by the session_name() function.

 

Which of these is correct...

// Erase Session Cookie Contents.
setcookie (session_id(), "", time() - 3600);
setcookie (PHPSESSID, "", time() - 3600);

 

Or will both work?

 

Thanks,

 

 

Debbie

 

kicken Prolific Member

kicken

Posted
Posted

Any idea how to better format print_r() in my home page so I can better see what is going on?

 

Use the second parameter to print_r to have it return a string, rather than output directly.  Use <pre> tags not <p> tags to surround it so the white-space is preserved.

 

Which of these is correct...

 

Neither.  Read the manual page I linked, and maybe the setcookie page.

 

 

 

doubledee Advanced Member

doubledee

Posted
  • Author
Posted

Any idea how to better format print_r() in my home page so I can better see what is going on?

 

Use the second parameter to print_r to have it return a string, rather than output directly.  Use <pre> tags not <p> tags to surround it so the white-space is preserved.

 

Which of these is correct...

 

Neither.  Read the manual page I linked, and maybe the setcookie page.

 

I looked at the link you provided and thought I was doing things correctly?!  :shrug:

 

Here is the script that I've come up with...

<?php //Build Date: 2011-12-25

// Initialize a session.
session_start();

// Access Constants
require_once('../config/config.inc.php');

// Log Out User.
$_SESSION['loggedIn'] = FALSE;

// Redirect User.
if (isset($_SESSION['returnToPage'])){
	header("Location: " . BASE_URL . $_SESSION['returnToPage']);
}else{
	// Take user to Home Page.
	header("Location: " . BASE_URL . "index.php");
}

session_unset();
session_destroy();
$_SESSION = array();

// Erase Session Cookie Contents.
//	setcookie(session_id(), "", time() - 3600);
setcookie("PHPSESSID", "", time() - 3600);

// End script.
exit();
?>

 

It works as far as logging the user out (e.g. "Hello, Debbie" is no longer displayed when I click "Log Out"), but the print_r() I am using shows the same session cookie there even after logging out.

 

I would expect PHPSESSID to have a value of "" in my browser and in print_r() after I log out.

 

When I log in I see this...

print_r(\$_SESSION) =

 

Array

(

    [returnToPage] => //index.php

    [memberID] => 24

    [memberFirstName] => Debbie

    [loggedIn] => 1

)

 

print_r(\$_COOKIE) =

 

Array

(

    [phpSESSID] => 4bf54ca2d5b134ea841bab146ba22965

)

 

 

When I log out (and even if I close the browser window and open it back up), I see this...

print_r(\$_SESSION) =

 

Array

(

    [returnToPage] => //pages/interview_index.php

)

 

print_r(\$_COOKIE) =

 

Array

(

    [phpSESSID] => 4bf54ca2d5b134ea841bab146ba22965

)

 

I am totally confused...

 

 

Debbie

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.