By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
437,614 Members | 1,680 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 437,614 IT Pros & Developers. It's quick & easy.

Problem with Sessions when Log in and Log out

P: 25
Hi friends,
I am having some problem working with my script on session stuffs. Well, i have a login page which authenticates users by using sql script then if login is successful i have [PHP] $_SESSSION['logged in']=true; and $_SESSION[userid]=$userid [/PHP] and when login is true i have included the page based on the access level of users . Like if it is a regular user i have include "user.php" ; exit() and if admin i have included admin page.

Also i have a log out script which unsets the sessions variable and distroy the session at last.
Also when admin loggs in to admin page i have a small php script that checks for those session variables and if the are set and "is true" then the pages are displayed.

My problem is when admin just comes out to the login page again without log out it allows to login to the main page but in main page if any < a href> link is clicked it goes back to login page. So then i will have to go back and log out first and then log in.. I am not sure why this strange things happens.
Also is there any way i can have a feature like when the users click back button it wont allow to go back to that page unless he is using the back button provided by the web interface.

I am new at the session stuffs, so i am not sure what i am doing is really a safe way to code a php page. are there any other things that i need to be aware of while using sessions.

Any suggestions or thoughts would be highly appreciated.
Thanks
Feb 18 '07 #1
Share this Question
Share on Google+
3 Replies


P: 25
My Log Out code is like below

[PHP]

<?php
session_start();
//store to test if they were logged in
$old_user = $_SESSION['userid'];
$_SESSION['loggedIn'] = false;
unset ($_SESSION['userid']);
session_destroy();
?>
<html>
<body>
<h1>Logged out </h1>
<?php
if (!empty($old_user))
{
echo 'Successfully Logged out . <br />';
}
else
{
echo 'You were not logged in , and so have not been loged out . <br />';
}
?>
<a href = "login.php" > Log in </a>
</body>
</html>

[/PHP]

My Admin Login Page starting code is as follows
[PHP]

<?php
session_start();
if ( isset( $_SESSION['loggedIn'] ) && $_SESSION['loggedIn'] ) {
if (($_SESSION["userid"]) || ($_SESSION["userid"] != "")){
require_once 'functions.php';
$mode=$HTTP_GET_VARS['mode'];
$who='admin';
$loggedUserid = $_SESSION["userid"];
?>

[PHP]

And in that admin Logn page I am calling other page by using follwing code
[PHP]

if($_GET['mode'] == "user_mgmt")
{
include "user_mgmt.php";
}

if ($_GET['mode'] == "user_add")
{
include "user_add.php";
}

[/PHP]

So do i need to have session_start() on each of those pages ..i mean user_add.php and other..
Also the session id gets lost on the way which i fould when i echoed sessionid on top of page..

I dont know what is wrong but the session is not destroyed when i closed the browser without log out. I need to log in to the admin page and other link wont work in that page so i need to click Log out and then again log in ..for all other page to work...
I am having a feeling that i am doing something wrong and insecure..

Do you have any idea. I need help friends.
Feb 18 '07 #2

Atli
Expert 5K+
P: 5,058
Hi.

I don't fully understand your problem, but I have a couple of pointers.
HTTP_GET_VARS Is very old, and most likely soon to be removed.
I recommend using $_GET instead.

session_destroy() is a dangerous function. It destroys everything, which also
includes any other session data other parts of your page might be using.
I'd recommend unsetting only those variables you
want to destroy with the unset method.
This here is a code, that creates a simple user login / logout system.
I hope it will shed some light on you problem :)

[PHP]
<?php
// Start session
session_start();

// Check if a user is logged in
if(isset($_SESSION['UserID']))
{
// Check if the user has selected the logout option
// note. @ is to get wride of the undefined index warning
if(@$_GET['action'] == "logout")
{
// Destroy his data
unset($_SESSION['UserID']);
unset($_SESSION['UserName']);
unset($_SESSION['UserStatus']);

// Print Message
echo '<div align="center">You have been logged out<br /><a href="?">Continue</a></div>';
}

// The user doesn't want to logout, load his content!
else
{
// Print the user info
echo '<div align="center">You are logged in as '. $_SESSION['UserName'] .' - <a href="?action=logout">Logout</a></div>';

// Get the users content
if($_SESSION['UserStatus'] == "Admin")
{
// Get the admin content
echo '<p align="center"> You are an admin :O</p>';

@include("admin.php");
}
else
{
// Get the user oontent
echo '<p align="center">Pffft.. only a user >:)</p>';
@include("user.php");
}
}
}

// No user is logged on, Get the load form
else
{
// Check if the form has been submited
// by looking for the submit button
if(isset($_POST['LoginSubmit']))
{
// connect database
$DB = @mysql_connect("localhost", "user", "pass") or die(mysql_error());
@mysql_select_db("database") or die(mysql_error());

// Load the user data
$SQL = "SELECT UserID, UserStatus FROM UserTable
WHERE UserName = '". $_POST['UserName'] ."'
AND Password = '". $_POST['UserPassword'] ."'";

$RESULT = @mysql_query($SQL) or die(mysql_error());
$ROWS = @mysql_num_rows($RESULT) or die(mysql_error());

// Check the password
if($ROWS != 0)
{
// Get user data
$row = @mysql_fetch_assoc($RESULT) or die(mysql_error());

// Set the session values
$_SESSION['UserID'] = $row['UserID'];
$_SESSION['UserName'] = $_POST['UserName'];
$_SESSION['UserStatus'] = $row['UserStatus'];

// print message
echo '<div align="center">You have been logged on! <br /> <a href="?">Continue</a>';
}

// The password is wrong!
else
{
echo '<div align="center">No no no! You\'ve got it all wrong! <br /> <a href="?">Try again</a>';
}
}

// The data has not been submitted, print the form
else
{
echo '
<div align="center">
<form action"?" method="post">
Name: <input type="text" name="UserName" />
<br />Password : <input type="password" name="UserPassword" />
<br /><input type="submit" name = "LoginSubmit" />
</form>
</div>';
}
}
?>

[/PHP]
Feb 18 '07 #3

P: 25
Hey thanks Atli,
i figured it out why it was not working fine...and now its working good....
Anyway thank you very much for yout time
Feb 19 '07 #4

Post your reply

Sign in to post your reply or Sign up for a free account.