CompleteNewbie Posted December 27, 2020 Share Posted December 27, 2020 Hello, I have the $_session code working, but after I destroy the session and I am asked to log in again, my browser doesn't ask me for my password and just logs me in. I don't understand because I have destroyed my session and I have deleted the data in $_SESSION and I have deleted the info in the cookie so it shouldn't log me in automatically. I thought it was something in my browser, but I erased my history and I never saved any password. Here's my code: This is the welcome page <?php require_once 'login.php'; $connection = new mysqli($db_hostname, $db_username, $db_password, $db_database); if ($connection->connect_error) die($connection->connect_error); if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) { $un_temp = mysql_entities_fix_string($connection, $_SERVER['PHP_AUTH_USER']); $pw_temp = mysql_entities_fix_string($connection, $_SERVER['PHP_AUTH_PW']); $query = "SELECT * FROM users WHERE username='$un_temp'"; $result = $connection->query($query); if (!$result) die($connection->error); elseif ($result->num_rows) { $row = $result->fetch_array(MYSQLI_NUM); $result->close(); $salt1 = "qm&h*"; $salt2 = "pg!@"; $token = hash('ripemd128', "$salt1$pw_temp$salt2"); if ($token == $row[3]) { session_start(); $_SESSION['username'] = $un_temp; $_SESSION['password'] = $pw_temp; $_SESSION['forename'] = $row[0]; $_SESSION['surname'] = $row[1]; echo "$row[0] $row[1] : Hi $row[0], you are now logged in as '$row[2]'"; die("<p><a href=continue.php>Click here to continue</a></p>"); } else die("Invalid username/password combination"); } else die("Invalid username/password combination"); } else { header('WWW-Authenticate: Basic realm="Restricted Section"'); header('HTTP/1.0 401 Unauthorized'); die("Please enter your username and password"); } $connection->close(); function mysql_entities_fix_string($connection, $string) { return htmlentities(mysql_fix_string($connection, $string)); } function mysql_fix_string($connection, $string) { if (get_magic_quotes_gpc()) $string = stripslashes($string); return $connection->real_escape_string($string); } ?> and this is the other page: <?php session_start(); if(isset($_SESSION['username'])) { $username = $_SESSION['username']; $password = $_SESSION['password']; $forename = $_SESSION['forename']; $surname = $_SESSION['surname']; destroy_session_and_data(); echo "Welcome back $forename. <br> Your full name is $forename $surname.<br> Your username is '$username' and your password is '$password'."; } else echo "Please <a href='authenticate2.php'>Click here</a> to log in."; function destroy_session_and_data() { $_SESSION = array(); setcookie(session_name(), '', time() - 2592000,'/'); session_destroy(); } ?> When I type the website in i first get prompt to enter my password, when I am authenticated the webpage says: You are now logged in click here to continue. When I do I am directed to another page which confirms that I am still logged in. Then I press refresh and the webpage asks me to "Click here to log in". I do, but it doesn't ask me for my password again. Why? My personal info should be destroyed. Thank you for responding. It's greatly appreciated Quote Link to comment https://forums.phpfreaks.com/topic/311937-problem-with-ending-a-session/ Share on other sites More sharing options...
requinix Posted December 27, 2020 Share Posted December 27, 2020 Browsers will remember Basic authentication credentials and pass them along any time they think the website might want to have them. The session is essentially pointless. The "only" way to log out a user is to re-send a new 401 response so the browser will prompt for (new) credentials. An even better answer would be to forget Basic auth and set up a normal login system like every other website does instead. Quote Link to comment https://forums.phpfreaks.com/topic/311937-problem-with-ending-a-session/#findComment-1583472 Share on other sites More sharing options...
desjardins Posted December 28, 2020 Share Posted December 28, 2020 3 hours ago, requinix said: Browsers will remember Basic authentication credentials and pass them along any time they think the website might want to have them. The session is essentially pointless. The "only" way to log out a user is to re-send a new 401 response so the browser will prompt for (new) credentials. An even better answer would be to forget Basic auth and set up a normal login system like every other website does instead. and what is normal login system that every other site does? Quote Link to comment https://forums.phpfreaks.com/topic/311937-problem-with-ending-a-session/#findComment-1583476 Share on other sites More sharing options...
requinix Posted December 28, 2020 Share Posted December 28, 2020 Like the kind you used to access this forum? A form that asks for a username/email and password? You know, the normal thing that you see on the internet. Quote Link to comment https://forums.phpfreaks.com/topic/311937-problem-with-ending-a-session/#findComment-1583478 Share on other sites More sharing options...
NotionCommotion Posted December 28, 2020 Share Posted December 28, 2020 When I first saw your code shown below, I thought that you were providing your server credentials or something. Investigated a little and saw that technically it should be valid. That being said, normally one will POST the credentials to the server, the server will query the DB and set a session. if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) { ... } Quote Link to comment https://forums.phpfreaks.com/topic/311937-problem-with-ending-a-session/#findComment-1583488 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.