New Topic/Question
Reply
If a user logs into my system and then logs out without closing the browser, then any page that the user is authorized to see is still available as if the user never logged out. I've done a bunch of testing and found that the session variables are properly unset, but the server variables $_SERVER('PHP_AUTH_USER') and $_SERVER('PHP_AUTH_PW') don't seem to get unset, which causes the login script to simply log the user back in instead of calling up the login dialog box. Code is below. (The file loginfo.php, which is referenced but not included below, simply contains the database host, username, password, and database name information. I know it is not the problem.)
file: home.php
<?php
if(!isset($_SESSION['username']))
include('login.php');
$fname = htmlentities($_SESSION['fname']);
$lname = htmlentities($_SESSION['lname']);
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>UNH CS Alumni Database--Home</title>
</head>
<body>
<div align="center">
<img src="unhlogo.jpg" alt="UNH Logo" /><br />
<h2>Computer Science Alumni Database</h2>
<a href="logout.php">Log out</a>
</div>
</body>
</html>
file: login.php
<?php
if(!isset($_SESSION))
{
session_start();
}
session_regenerate_id();
require_once('loginfo.php');
require_once('DB.php');
$user = '';
$password = '';
if(!isset($_SESSION['username']))
{
if(!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']))
{
header('WWW-Authenticate: Basic realm="Member Area"');
header("HTTP/1.0 401 Unauthorized");
echo "You must enter a username and password.";
exit;
}
require_once('connect.php');
$user = $_SERVER['PHP_AUTH_USER'];
$password = $_SERVER['PHP_AUTH_PW'];
if(get_magic_quotes_gpc())
{
stripslashes($user);
stripslashes($password);
}
$user = $db->escapeSimple($user);
$password = $db->escapeSimple($password);
$query = "SELECT * FROM users WHERE ";
$query .= "username='".$user."' AND password=SHA1('".$password."') LIMIT 1";
$result = runQuery($db, $query);
$row = $result->fetchRow(DB_FETCHMODE_ASSOC);
if(!$row)
{
header('WWW-Authenticate: Basic realm="Member Area"');
header("HTTP/1.0 401 Unauthorized");
echo "Your username and password combination was incorrect!";
exit;
}
$_SESSION['username'] = $row['userName'];
$_SESSION['fname'] = $row['fName'];
$_SESSION['lname'] = $row['lName'];
$_SESSION['access'] = $row['class'];
$user = '';
$password = '';
if($_SESSION['access'] != 'admin' && $_SESSION['access'] != 'user')
{
echo 'Account inactive. Unable to continue.<br />';
session_destroy();
unset($_SERVER['PHP_AUTH_USER']);
unset($_SERVER['PHP_AUTH_PW']);
echo 'Not logged in.';
exit;
}
}
?>
file: connect.php
<?php
require('loginfo.php');
$db = DB::connect("mysqli://$root:$pw@$host/$database");
if(DB::isError($db))
die("Could not connect to the database: <br />".DB::errorMessage($db));
if(!function_exists('runQuery'))
{
function runQuery($connection, $query)
{
$result = $connection->query($query);
if(DB::isError($result))
die("Could not query the database: <br />".$query."; ".DB::errorMessage($result));
return $result;
}
}
?>
file: logout.php
<?php
if(!isset($_SESSION))
{
session_start();
}
unset($_SESSION);
unset($_SERVER['PHP_AUTH_USER']);
unset($_SERVER['PHP_AUTH_PW']);
if (session_id() != "" || isset($_COOKIE[session_name()]))
setcookie(session_name(), session_id(), 1, '/');
session_unset();
session_destroy();
if(!isset($_SESSION['username']))
header('Location: index.html');
?>
The file index.html which logout.php redirects to at the end simply contains a link to home.php.
Assuming I've correctly isolated the problem, how do I unset the relevant server variables? If I haven't then what could the problem be?
Thanks in advance for any help.
MultiQuote
| 