How to start and destroy session properly?

3
votes

So, I have:

  • index.php(login and register form, welcome page, etc.)
  • login.php(it's a simple login verify php file, which executes when user press submit on index.php),
  • home.php (the site where the user redirects after logged in correctly)
  • logout.php(the reverse of login.php, redirects the user to index.php and destroy the session (I thought..)

The problem is, I can get at home.php, even before I sign in correctly, anytime. I put start_session() on every page that needs $_SESSION variable, and put session_destroy() in logout.php as well.

So here are the php files' codes:

index.php

<body>

<?php
    require_once('config.php');
    if ($maintanance) {
        echo "Az oldal karbantartás alatt van.";
    }
    else if ($db_conn_error) {
        echo "Something went wrong according to database connection.";
    }
    else {
            include('reg.php');
            include('./templates/header.php');
?>

    <section>
        <form id="login_form" action="" method="POST">
            <h2>Already a member? Sign in!</h2>
            <p>Username: <input type="text" name="username"></p>
            <p>Password: <input type="password" name="password"></p>
            <input type="submit" name="login_submit" value="Sign In">
            <?php include 'login.php'; ?>
        </form>

        <form id="reg_form" action="" method="POST" onsubmit="return validation();">
            <h2>Sign up Now!</h2>
            <p>Username: <input type="text" name="username" placeholder="min. 5 characters">
            <span id="user_error"></span>
            </p>
            <p>Password: <input type="password" name="password" placeholder="min. 8 characters"></p>
            <p>Password again: <input type="password" name="password_again"></p>
            <p>E-mail: <input type="email" name="email" size="30"></p>
            <p>Date of birthday:
                <input type="number" name="bd_year" min="1950" max="2016">
                <input type="number" name="bd_month" min="1" max="12">
                <input type="number" name="bd_day" min="1" max="31">
            </p>
            <input type="submit" name="reg_submit" value="Sign Up">
        </form>
    </section>
</body>
</html>
<?php } ?>

login.php

<?php

    include 'config.php';

    if (isset($_POST["login_submit"]))
    {

        $username = $_POST["username"];
        $password = $_POST["password"];

        $query = "SELECT username, hashed_password FROM users WHERE username = '$username';";

        $result = mysqli_query($conn, $query);
        $row = mysqli_fetch_assoc($result);
        $rows_num = mysqli_num_rows($result);

        $password_match_error_message = false;

        if ($rows_num == 0) {
            echo "<p class='login_error_msg'>This user doesn't exist!</p>";
        }
        else {
            $password_match = password_verify($password, $row['hashed_password']);
            if (!$password_match) {
                echo "<p class='login_error_msg'>Wrong password!</p>";
            }
            else {
                session_start();
                $_SESSION["user"] = $username;
                header("Location: home.php");
            }
        }
    }

?>

home.php

<?php
    session_start();
    if (isset($_SESSION["user"])) {
?>

<!DOCTYPE html>

<html>

<head>
     <title>Spookie - Social Network</title>
     <link rel="stylesheet" type="text/css" href="./css/style.css">
</head>

<body>

    <?php
        include './templates/header.php';
    ?>

    <?php } else { echo "You are not logged in!"; } ?>

</body>

</html>

logout.php

<?php
    session_unset($_SESSION["user"]);
    session_destroy();
    header("Location: index.php");
?>

I know, it's hard to see what's really going on through the codes, the login works, but the session is not really.

The problem: I type in and home.php is always reachable, despite the fact I'm not logged in. The logout.php doesn't destroy the session or even the session couldn't start.

Thank you very much for your help! :)

3
phphtmlsession
your home.php needs that filter inside the body, not before the doctype, if you want to do what it looks like you want to do (i.e. generate a page but with filtered content). That said: what do you actually get back when you visit that page without a session, for instance by using cURL or wget? Please update your post with the proof that something is going wrong, so that we can know what you know before we try to answer this. – Mike 'Pomax' Kamermans

3 Answers

2
votes

The problem is in logout.php.

You should also claim session_start() to ensure you CAN remove the $_SESSION["user"] variable.

There may be other problems as I cannot see the whole code. Correct me if I am wrong.

Take a look at the another answer which explains the typical way to set up session variables

0
votes

According to this manual: http://php.net/manual/en/function.session-destroy.php

In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.

The manual link has a full working example on how to do that. Stolen from there:

<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();

// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}

// Finally, destroy the session.
session_destroy();
?>
0
votes

session_start() will start session.

session_destroy() will destroy session.

For setting session data you could do this. 

`
    $_SESSION['is_logged_in'] = true;
`

FOR CHECKING EXISTENCE OF SESSION or to check if user is logged in

`
    If(isset($_SESSION['is_logged_in'] ) {}
    else {
    //redirect to login page
     }
 `