Logout NOT Logging Out...

[mroberts46]

Does anyone know why clicking the 'Log Out' button created in this file:

<div class="widget">
<h1>Hello, <?php echo $user_data['first']; ?>!</h1>
     <div class="inner">
     	<nav id="side-links">
          	<li><a href="logout.php">Log Out</a></li>
               <li><a href="changepassword.php">Change Password</a></li>
          </nav>
     </div>
</div>

 

is not logging the user out? Here is logout.php:

<?php 
session_start();
session_destroy();
header('Location: index.php');
?>

 

I can click the log out button and see the page refresh but instead of replacing my Logged In information with a simple Log In form, it just leaves my info there as if I'm still logged in. The code that controls that:

<aside class="widgets">
     	<?php
	if (logged_in() === true) {
		include 'includes/widgets/loggedin.php';
	} else {
		include 'includes/widgets/login.php';
	}
	?>
     </aside>

 

Can someone explain why this is happening and how to fix it?

[Pikachu2000]

What is in the logged_in() function?

[mroberts46]

function logged_in() {
return (isset($_SESSION['id'])) ? true : false;
}

[mroberts46]

I thought about using the die() function or an echo statement to see what the function is returning but I don't know what to echo out

[Pikachu2000]

echo '$_SESSION['id'] value: ';
var_dump($_SESSION['id']);

[mroberts46]

This is returned:

1value: string(1) "1"

[Pikachu2000]

There's more to killing the session data associated with the login than just calling session_destroy(). Have you read the manual entry? There's a lot of useful information that helps to explain why this is happening. http://php.net/manual/en/function.session-destroy.php

[Zane]

You could very easily set

$_SESSION = null

... destroying the session.

[mroberts46]

I tried following the example from the manual as well as setting the $_SESSION to null and none. I'm still logged in

[Pikachu2000]

Post the code you tried using.

[mroberts46]

This still has my failed attempted at troubleshooting  in it as well...

<?php 
session_start();

$_SESSION = array();
if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    echo $params;
    die();
    
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
} else {
die('Didn\'t Work');
}
session_destroy();
//header('Location: index.php');
?>

[Pikachu2000]

What was the output from that code?

[mroberts46]

It never echoed the $params nor did it display Didn't Work

[mroberts46]

There was no output from it. I clicked the link and it reloaded the page as it was

[mroberts46]

It seems almost as if it's not even calling the logout.php file but I've checked the link several times to insure that it is correct and it is

[PFMaBiSmAd]

Because you are redirecting around all over the place, I suspect you have more than one session going on, either because you are switching back and forth between having and not having the www. on the url and/or you are changing paths in the url. See the following post (concerns trying twice to log in, but might be related to your not being able to log out) http://forums.phpfreaks.com/index.php?topic=360649.msg1705611#msg1705611

 

Are all your URL's consistent, i.e. all with or all without the www. on them? What does a phpinfo() statement show for the session.cookie_path setting?

[mroberts46]

I don't know how to use nor where to use the phpinfo() function. I'm still very new to php. And as far as I know, all of my URLs should be the same.

[boompa]

If you hear of a function, and you "don't know how to use or where to use" a function, then go read the manual.

[mroberts46]

So the session.cookie_path is set to "/"

[mikosiko]

if this is your last code:

<?php 
session_start();

$_SESSION = array();
if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    echo $params;  // REMOVE IT
    die(); // REMOVE IT
    
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
} else {    // REMOVE THIS LINE
die('Didn\'t Work'); // AND THIS TOO
}
session_destroy();
//header('Location: index.php');  // AND MAYBE YOU NEED THIS LINE TO BE ACTIVE 
?>

 

did you try removing completely that last else sentence (look the comments in your code) and see what happens?

 

 

[PFMaBiSmAd]

So the session.cookie_path is set to "/"

 

That would mean that a changing path in the URL isn't causing multiple different sessions to exist for one client (browser.)

 

The problem can still be due to URL's that are changing back and forth between having and not having www. in them.

 

What does the phpinfo() statement show for the session.cookie_domain? (it's very likely empty as that is the default value and it would require you to specifically be setting it.)

 

Since we don't have all your code needed to reproduce this problem, you would need to debug exactly what is occurring. For your logout code to clear the same session data that corresponds to your log in code, you need to have the same session id on the log out page that you have on your log in page (and in the session id cookie in your browser.) You can echo session_id(); in your code to see what the current session id is. You can also check the session id cookies in your browser to see if there is more than one matching your base domain, there would be one cookie for www.yourdomain.com and one for just yourdomain.com

[mroberts46]

I hadn't but it was because I was trying to see if the if statement was even executing. Neither die() statement executed so I changed the code to this:

<?php 
session_start();
unset($_SESSION['id']);
$_SESSION['id'] = 0;
session_destroy();
header('Location: index.php');
?>

 

It worked once but once I logged in again to verify that it really did do the trick, I was unsuccessful in logging out again.

[PFMaBiSmAd]

$_SESSION['id'] = 0;

 

^^^ Your logged_in() function is testing if $_SESSION['id'] isset. Assigning a zero to it is setting it.

[mroberts46]

I'm taking that out but first I wanted to see what shows up in the developer tools (F12 in my browser).

 

session.cookie_domain is not set

[PFMaBiSmAd]

Last guess, without seeing all the code needed to reproduce the problem - you have some code in index.php or in includes/widgets/login.php that is setting $_SESSION['id']. Probably in a conditional test that only has one = sign (an assignment operator) instead of two == signs (an equal comparison operator.)

 

If that's not it, you will need to post all the code (less any database credentials) that reproduces the problem.