Gallion Gallion - 6 months ago 18
HTML Question

How to start and destroy session properly?

So, I have:


  • index.php(login and register form, welcome page, etc.)

  • login.php(it's a simple login verify php file, which executes when user press submit on index.php),

  • home.php (the site where the user redirects after logged in correctly)

  • logout.php(the reverse of login.php, redirects the user to index.php and destroy the session (I thought..)



The problem is, I can get at home.php, even before I sign in correctly, anytime.
I put start_session() on every page that needs $_SESSION variable, and put session_destroy() in logout.php as well.

So here are the php files' codes:

index.php

<body>

<?php
require_once('config.php');
if ($maintanance) {
echo "Az oldal karbantartás alatt van.";
}
else if ($db_conn_error) {
echo "Something went wrong according to database connection.";
}
else {
include('reg.php');
include('./templates/header.php');
?>

<section>
<form id="login_form" action="" method="POST">
<h2>Already a member? Sign in!</h2>
<p>Username: <input type="text" name="username"></p>
<p>Password: <input type="password" name="password"></p>
<input type="submit" name="login_submit" value="Sign In">
<?php include 'login.php'; ?>
</form>

<form id="reg_form" action="" method="POST" onsubmit="return validation();">
<h2>Sign up Now!</h2>
<p>Username: <input type="text" name="username" placeholder="min. 5 characters">
<span id="user_error"></span>
</p>
<p>Password: <input type="password" name="password" placeholder="min. 8 characters"></p>
<p>Password again: <input type="password" name="password_again"></p>
<p>E-mail: <input type="email" name="email" size="30"></p>
<p>Date of birthday:
<input type="number" name="bd_year" min="1950" max="2016">
<input type="number" name="bd_month" min="1" max="12">
<input type="number" name="bd_day" min="1" max="31">
</p>
<input type="submit" name="reg_submit" value="Sign Up">
</form>
</section>
</body>
</html>
<?php } ?>


login.php

<?php

include 'config.php';

if (isset($_POST["login_submit"]))
{

$username = $_POST["username"];
$password = $_POST["password"];

$query = "SELECT username, hashed_password FROM users WHERE username = '$username';";

$result = mysqli_query($conn, $query);
$row = mysqli_fetch_assoc($result);
$rows_num = mysqli_num_rows($result);

$password_match_error_message = false;

if ($rows_num == 0) {
echo "<p class='login_error_msg'>This user doesn't exist!</p>";
}
else {
$password_match = password_verify($password, $row['hashed_password']);
if (!$password_match) {
echo "<p class='login_error_msg'>Wrong password!</p>";
}
else {
session_start();
$_SESSION["user"] = $username;
header("Location: home.php");
}
}
}

?>


home.php

<?php
session_start();
if (isset($_SESSION["user"])) {
?>

<!DOCTYPE html>

<html>

<head>
<title>Spookie - Social Network</title>
<link rel="stylesheet" type="text/css" href="./css/style.css">
</head>

<body>

<?php
include './templates/header.php';
?>

<?php } else { echo "You are not logged in!"; } ?>

</body>

</html>


logout.php

<?php
session_unset($_SESSION["user"]);
session_destroy();
header("Location: index.php");
?>


I know, it's hard to see what's really going on through the codes, the login works, but the session is not really.

The problem: I type in and home.php is always reachable, despite the fact I'm not logged in. The logout.php doesn't destroy the session or even the session couldn't start.

Thank you very much for your help! :)

Answer

The problem is in logout.php.

You should also claim session_start() to ensure you CAN remove the $_SESSION["user"] variable.

There may be other problems as I cannot see the whole code. Correct me if I am wrong.

Take a look at the another answer which explains the typical way to set up session variables