Gallion Gallion - 1 year ago 39
HTML Question

How to start and destroy session properly?

So, I have:

  • index.php(login and register form, welcome page, etc.)

  • login.php(it's a simple login verify php file, which executes when user press submit on index.php),

  • home.php (the site where the user redirects after logged in correctly)

  • logout.php(the reverse of login.php, redirects the user to index.php and destroy the session (I thought..)

The problem is, I can get at home.php, even before I sign in correctly, anytime.
I put start_session() on every page that needs $_SESSION variable, and put session_destroy() in logout.php as well.

So here are the php files' codes:



if ($maintanance) {
echo "Az oldal karbantartás alatt van.";
else if ($db_conn_error) {
echo "Something went wrong according to database connection.";
else {

<form id="login_form" action="" method="POST">
<h2>Already a member? Sign in!</h2>
<p>Username: <input type="text" name="username"></p>
<p>Password: <input type="password" name="password"></p>
<input type="submit" name="login_submit" value="Sign In">
<?php include 'login.php'; ?>

<form id="reg_form" action="" method="POST" onsubmit="return validation();">
<h2>Sign up Now!</h2>
<p>Username: <input type="text" name="username" placeholder="min. 5 characters">
<span id="user_error"></span>
<p>Password: <input type="password" name="password" placeholder="min. 8 characters"></p>
<p>Password again: <input type="password" name="password_again"></p>
<p>E-mail: <input type="email" name="email" size="30"></p>
<p>Date of birthday:
<input type="number" name="bd_year" min="1950" max="2016">
<input type="number" name="bd_month" min="1" max="12">
<input type="number" name="bd_day" min="1" max="31">
<input type="submit" name="reg_submit" value="Sign Up">
<?php } ?>



include 'config.php';

if (isset($_POST["login_submit"]))

$username = $_POST["username"];
$password = $_POST["password"];

$query = "SELECT username, hashed_password FROM users WHERE username = '$username';";

$result = mysqli_query($conn, $query);
$row = mysqli_fetch_assoc($result);
$rows_num = mysqli_num_rows($result);

$password_match_error_message = false;

if ($rows_num == 0) {
echo "<p class='login_error_msg'>This user doesn't exist!</p>";
else {
$password_match = password_verify($password, $row['hashed_password']);
if (!$password_match) {
echo "<p class='login_error_msg'>Wrong password!</p>";
else {
$_SESSION["user"] = $username;
header("Location: home.php");



if (isset($_SESSION["user"])) {

<!DOCTYPE html>


<title>Spookie - Social Network</title>
<link rel="stylesheet" type="text/css" href="./css/style.css">


include './templates/header.php';

<?php } else { echo "You are not logged in!"; } ?>




header("Location: index.php");

I know, it's hard to see what's really going on through the codes, the login works, but the session is not really.

The problem: I type in and home.php is always reachable, despite the fact I'm not logged in. The logout.php doesn't destroy the session or even the session couldn't start.

Thank you very much for your help! :)


The problem is in logout.php.

You should also claim session_start() to ensure you CAN remove the $_SESSION["user"] variable.

There may be other problems as I cannot see the whole code. Correct me if I am wrong.

Take a look at the another answer which explains the typical way to set up session variables