Log Out script

doubledee · July 2, 2012

I have tweaked my Log Out script to display a message that the User successfully logged out (or didn't), and then allow the User to either Log-In again or Go to Home Page.

In order to do this, I just used my standard "message.php" script which is where I handle all messaging for my website (i.e. Success and Failure Messages).

In order for "message.php" to work, it is expecting a code in the $_SESSION like this...

		// Update Succeeded.
	$_SESSION['resultsCode'] = 'LOGOUT_SUCCEEDED_3475';

The problem with how my original "log_out.php" script was written, is that I was logging out (and erasing the SESSION variable) and so "message.php" would not work properly.

So I made these changes, and I would appreciate it if someone could verify if my logic is right and I am successfully and *thoroughly* logging out the User!!

log_out.php

// Verify Update.
if (mysqli_stmt_affected_rows($stmt1)==1){
	// Update Succeeded.
	// Member logged out from Database.

	// ******************************
	// Log Out User from Session.		*
	// ******************************
	$_SESSION['loggedIn'] = FALSE;


	// ************************
	// Clear Out Variables.		*
	// ************************
	unset($_SESSION['sessMemberID']);
	unset($_SESSION['sessUsername']);
	unset($_SESSION['sessFirstName']);


	// ********************************
	// Erase Session Cookie Contents.	*
	// ********************************
	setcookie("PHPSESSID", "", time() - 3600);


	// Update Succeeded.
	$_SESSION['resultsCode'] = 'LOGOUT_SUCCEEDED_3475';

}else{
	// Update Failed.
	$_SESSION['resultsCode'] = 'LOGOUT_FAILED_3476';

}//End of ATTEMPT TO LOG-OUT USER FROM DATABASE


// Set Error Source.
$_SESSION['errorPage'] = $_SERVER['SCRIPT_NAME'];

// Redirect to Display Outcome.
header("Location: " . BASE_URL . "/account/messages.php");

// End script.
exit();

messages.php

	// Log Out Succeeded.
	case 'LOGOUT_SUCCEEDED_3475':
		echo '<h1>Log Out Succeeded</h1>';
		echo '<p>You have been successfully logged-out. (3475)</p>';
		echo '<ul>
				<li>
					<a class="button2" href="' . BASE_URL . '/account/log_in.php">Log In</a>
				</li>
				<li>or</li>
				<li>
					<a class="button2" href="' . BASE_URL . '/index.php">Go to Home Page</a>
				</li>
			</ul>';

	// Finish Destroying Session.
	session_unset();
	session_destroy();
	$_SESSION = array();

	break;


	// Log Out Failed.
	case 'LOGOUT_FAILED_3476':
		echo '<h1>Log Out Failed</h1>';
		echo '<p>A problem occurred during log out.</p>';
		echo '<p>Please try again. (3476)</p>';
		echo '<a class="button" href="' . BASE_URL . '/account/log_out.php">Log Out</a>';
		break;

Is it okay how I moved this code from "log_out.php" to "messages.php" and saved it for the end???

	// Finish Destroying Session.
	session_unset();
	session_destroy();
	$_SESSION = array();

	break;

See any problems with what I did?

Any *security* issues??

Thanks,

Debbie

requinix · July 2, 2012

It's perfectly reasonable to destroy whatever is in the current session and start another one anew.

foreach (array_keys($_SESSION) as $key) unset($_SESSION[$key]);

$_SESSION['resultsCode'] = 'LOGOUT_SUCCEEDED_3475';
// and redirect

xyph · July 2, 2012

The session isn't a very good place to store dynamic information.

Think of what could happen when a user is browsing your site with multiple tabs open.

Messages should be stored, given a reference ID, and passed through the request (either GET or POST).

showMessage.php?messageID=12345

Session data should generally be static, because the web is stateless. Your application won't know which potential instance of your application generated which value.

An exception would be large, multi-page, non-JS forms. In this case though, you'd want to create a 'sub-session', where you create a unique ID for that specific instance, and pass it along via a hidden field or query string.

$_SESSION['formData'][$uniqueID] = array of post values to be passed.

It's extra work, but it's the right way to do it. Even if the user has two of the same multi-page forms open, each opening page will generate it's own ID, and isolate the information to forms that contain that specific ID as a request value.

doubledee · July 2, 2012

It's perfectly reasonable to destroy whatever is in the current session and start another one anew.
foreach (array_keys($_SESSION) as $key) unset($_SESSION[$key]);

$_SESSION['resultsCode'] = 'LOGOUT_SUCCEEDED_3475';
// and redirect

Huh????

Debbie

xyph · July 2, 2012

Huh????

Debbie

That's a terrible question, and it deserves a terrible answer:

RTFM.

doubledee · July 2, 2012

Huh????

Debbie

That's a terrible question, and it deserves a terrible answer:

RTFM.

No, I asked a very specific question and provided quite a bit of code in my OP.

I have no clue what Requinix was referring to. (Which is strange, because he is usually spot on.)

Debbie

xyph · July 3, 2012

His answer was specific. His code showed you the quickest way to reliably destroy all data within a session, and append your message to the now empty session.

Here's a spoon-fed breakdown, though by this point you really should understand his snippet, or at least be able to figure it out on your own.

foreach - Iterate through the following array:
  array_keys($_SESSION) - Get all the keys that exist in $_SESSION, and return an array containing them
  as $key - assign the next value of the previously generated array to the variable $key
  Since there are no curly-braces for this loop structure, we know there's only a single line involved in it
    unset($_SESSION[$key]) - unsets the value of $_SESSION with the current $key
$_SESSION['resultsCode'] = 'LOGOUT_SUCCEEDED_3475' - assign the needed value to the now empty session, so it exists when the redirect occurs.
[code]

Regardless, my advice holds true. You're using sessions to pass messages between pages, which is not ideal.

requinix · July 3, 2012

If, on the other hand, you're wondering not what the code does but what the code is about,

Your original problem was "if I destroy the session then I can't put the redirect code in it". I'm saying you don't have to destroy the entire session per se - just the user information and whatever else may be in there. Same session and same session ID but you get rid of everything that is in it.

[edit] For the record, $_SESSION = array(); might work. Don't think I've ever tried it.

doubledee · July 3, 2012

His answer was specific. His code showed you the quickest way to reliably destroy all data within a session, and append your message to the now empty session.

Here's a spoon-fed breakdown, though by this point you really should understand his snippet, or at least be able to figure it out on your own.
foreach - Iterate through the following array:
  array_keys($_SESSION) - Get all the keys that exist in $_SESSION, and return an array containing them
  as $key - assign the next value of the previously generated array to the variable $key
  Since there are no curly-braces for this loop structure, we know there's only a single line involved in it
    unset($_SESSION[$key]) - unsets the value of $_SESSION with the current $key
$_SESSION['resultsCode'] = 'LOGOUT_SUCCEEDED_3475' - assign the needed value to the now empty session, so it exists when the redirect occurs.
[code]

Regardless, my advice holds true. You're using sessions to pass messages between pages, which is not ideal.

You really are incapable of going more than a week without petty insults, aren't you?

I could half-way deal with that if you bothered to read anything that anyone says...

Debbie

Sign In

Log Out script

Recommended Posts

doubledee

Link to comment

Share on other sites

requinix

Link to comment

Share on other sites

xyph

Link to comment

Share on other sites

doubledee

Link to comment

Share on other sites

xyph

Link to comment

Share on other sites

doubledee

Link to comment

Share on other sites

xyph

Link to comment

Share on other sites

requinix

Link to comment

Share on other sites

doubledee

Link to comment

Share on other sites

Browse

Activity

Important Information