Jump to content

Recommended Posts

Hello,

I have the $_session code working, but after I destroy the session and I am asked to log in again, my browser doesn't ask me for my password and just logs me in.

I don't understand because I have destroyed my session and I have deleted the data in $_SESSION and I have deleted the info in the cookie so it shouldn't log me in automatically. I thought it was something in my browser, but I erased my history and I never saved any password.

Here's my code:

This is the welcome page

<?php
    require_once 'login.php';
    $connection = new mysqli($db_hostname, $db_username, $db_password, $db_database);
    
    if ($connection->connect_error) die($connection->connect_error);
    
    if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW']))
    {
        $un_temp = mysql_entities_fix_string($connection, $_SERVER['PHP_AUTH_USER']);
        $pw_temp = mysql_entities_fix_string($connection, $_SERVER['PHP_AUTH_PW']);
        
        $query = "SELECT * FROM users WHERE username='$un_temp'";
        $result = $connection->query($query);
        
        if (!$result) die($connection->error);
        elseif ($result->num_rows)
        {
            $row = $result->fetch_array(MYSQLI_NUM);
            
            $result->close();
            
            $salt1 = "qm&h*";
            $salt2 = "pg!@";
            
            $token = hash('ripemd128', "$salt1$pw_temp$salt2");
            
            if ($token == $row[3])
            {
                session_start();
                $_SESSION['username'] = $un_temp;
                $_SESSION['password'] = $pw_temp;
                $_SESSION['forename'] = $row[0];
                $_SESSION['surname'] = $row[1];
                
                echo "$row[0] $row[1] : Hi $row[0], you are now logged in as '$row[2]'";
                
                die("<p><a href=continue.php>Click here to continue</a></p>");
            }
            else die("Invalid username/password combination");
        }
        else die("Invalid username/password combination");
    }
    else
    {
        header('WWW-Authenticate: Basic realm="Restricted Section"');
        header('HTTP/1.0 401 Unauthorized');
        die("Please enter your username and password");
    }
    $connection->close();
        
    function mysql_entities_fix_string($connection, $string)
    {
        return htmlentities(mysql_fix_string($connection, $string));
    }
        
    function mysql_fix_string($connection, $string)
    {
        if (get_magic_quotes_gpc()) $string = stripslashes($string);
        return $connection->real_escape_string($string);
    }
?>

and this is the other page:

<?php
    session_start();
    
    if(isset($_SESSION['username']))
    {
        $username = $_SESSION['username'];
        $password = $_SESSION['password'];
        $forename = $_SESSION['forename'];
        $surname = $_SESSION['surname'];
        
        destroy_session_and_data();
        
        echo "Welcome back $forename. <br>
            Your full name is $forename $surname.<br>
            Your username is '$username'
            and your password is '$password'.";
    }
    
    else echo "Please <a href='authenticate2.php'>Click here</a> to log in.";
    
    function destroy_session_and_data()
    {
        $_SESSION = array();
        setcookie(session_name(), '', time() - 2592000,'/');
        session_destroy();
    }
?>

 

When I type the website in i first get prompt to enter my password, when I am authenticated the webpage says: You are now logged in click here to continue. When I do I am directed to another page which confirms that I am still logged in. Then I press refresh and the webpage asks me to "Click here to log in". I do, but it doesn't ask me for my password again. Why? My personal info should be destroyed.

Thank you for responding. It's greatly appreciated

 

 

 

Link to comment
https://forums.phpfreaks.com/topic/311937-problem-with-ending-a-session/
Share on other sites

Browsers will remember Basic authentication credentials and pass them along any time they think the website might want to have them. The session is essentially pointless.

The "only" way to log out a user is to re-send a new 401 response so the browser will prompt for (new) credentials.

An even better answer would be to forget Basic auth and set up a normal login system like every other website does instead.

3 hours ago, requinix said:

Browsers will remember Basic authentication credentials and pass them along any time they think the website might want to have them. The session is essentially pointless.

The "only" way to log out a user is to re-send a new 401 response so the browser will prompt for (new) credentials.

An even better answer would be to forget Basic auth and set up a normal login system like every other website does instead.

and what is normal login system that every other site does?

When I first saw your code shown below, I thought that you were providing your server credentials or something.  Investigated a little and saw that technically it should be valid.  That being said, normally one will POST the credentials to the server, the server will query the DB and set a session.

 

if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) {
   ...
}

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.