9 Replies - 7848 Views - Last Post: 04 September 2014 - 02:30 AM Rate Topic: -----

#1 Hypermx   User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 77
  • Joined: 06-August 09

PHP login/logout - Session unset - but still there when redirected

Posted 27 August 2014 - 01:17 AM

Hello.

Im having some issues with making a login/logout script.

The problem I am having is with the logout script, i think.

When I logout, it removes the session fine, but when I get redirected back to my main page, then the session variable is there again, UNTILL I REFRSH THE PAGE:

Since the login script and the main is on 2 diffrent directories(Wanted a global login system for multiple sites(same domain)), I figured i had to use the same session id for this to work.
But I think this is where my problem is.


HTML - header.php:
<?php 
ini_set("display_startup_errors", "1");
ini_set("display_errors", "1");
error_reporting(E_ALL);

session_id('uabo6f6hb4ne5sk66ekrhhpdd1');
session_start(); ?>
<header id="maxbrown_header" style="position:fixed; z-index: 1000; height: 4%; width: 100%; min-height: 35px; background-color: rgba(0, 0, 0, 0.5); outline: 1px solid rgba(0,0,0,0.2); top: 0px; left: 0px;">
	<?php	if(!isset($_SESSION['user'])) { ?>
		<form method="POST" action="http://maxbrown.dk/login/login.php">
			<div id="headerlogin" style="position: absolute; height: 100%; width: 50%; right: 0px; margin: 5px;	text-align: right; color: #DCDDDE; font-weight: bold;">
				<p style="display:inline;">Username: </p><input type="text" id="username" name="username">
				<p style="display:inline;">Password: </p><input type="password" id="password"  name="password">
				<input type="submit" value="Sign in" name="submit">
			</div>
		</form>
	<?php  }
	else { print_r($_SESSION); print_r($_POST); ?>
		<form medthod="POST" action="http://maxbrown.dk/login/login.php">
			<div style="position:absolute; height: 100%; width: 25%; left: 0px; top: 0px;">
				<p style="color:white; margin-left: 0.4em; margin-top: 0.4em;">Welcome back, <?php echo ucfirst($_SESSION['user']); ?>.</>/p>
			</div>
			<div id="headerlogin" style="position: absolute; height: 100%; width: 50%; right: 0px; margin: 0.4em;	text-align: right; color: #DCDDDE; font-weight: bold;">
				<input type="submit" value="Logout">
			</div>
		</form>
	<?php }; echo session_id(); ?>
</header>



PHP - login.php:
<?php
ini_set("display_startup_errors", "1");
ini_set("display_errors", "1");
error_reporting(E_ALL);

session_id('uabo6f6hb4ne5sk66ekrhhpdd1');
session_start();

if(isset($_SESSION['user'])){
	unset($_POST['username']); //Test to see if it got looped in a POST.
}

if(isset($_POST['username'])) {

	include('config.php');

	$con = mysqli_connect($mysql_host, $mysql_username, $mysql_password, $mysql_database)or die(mysqli_connect_error());
	$result = mysqli_query($con, "SELECT `password` FROM users WHERE username='" . $_POST['username'] . "';");
	$row = mysqli_fetch_array($result);

	echo "<br>Password entered: " . $_POST['password'] . "\n";
	echo "<br>MD5 version: " . md5($_POST['password']) . "\n";
	echo "<br>Password needed: " . $row['password'] . "\n";
	if($row['password'] == md5($_POST['password']))
	{
		echo "Logged in" . "'\n";
		$_SESSION['user'] = $_POST['username'];
		echo $_SESSION['user'];
		print_r($_SESSION);
		echo session_id();
		header('Location: ' . $_SERVER['HTTP_REFERER']);
	}
	else
	{
		echo "Wrong password, please try again." . "\n";
		echo "<a href='". $_SERVER['HTTP_REFERER'] ."'>Click here to go back</a>";
	}
	
	mysqli_close($con);
}
else {
	unset($_SESSION['user']);
	session_destroy();
	echo "Logged out!\n";
	print_r($_SESSION);
	print_r($_POST);
	echo session_id();
	echo "<script>function redirect() { window.location.href='" . $_SERVER['HTTP_REFERER'] . "'; } </script>";
	echo "<script>setTimeout(redirect(), 5000); </script>";
};

?>



And sorry for the mess around the code, I tried to figure out where my problem was myself, but I am stuck now.


If anybody has some time to help me, i would appriciate it.

This post has been edited by Hypermx: 27 August 2014 - 01:21 AM


Is This A Good Question/Topic? 0
  • +

Replies To: PHP login/logout - Session unset - but still there when redirected

#2 Dormilich   User is offline

  • 痛覚残留
  • member icon

Reputation: 4208
  • View blog
  • Posts: 13,283
  • Joined: 08-June 10

Re: PHP login/logout - Session unset - but still there when redirected

Posted 27 August 2014 - 01:53 AM

youíre assuming session_destroy() to do more than it really does:

http://php.net/manual/en/function.session-destroy.php said:

session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.

In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.


(underlining by me)
Was This Post Helpful? 0
  • +
  • -

#3 Hypermx   User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 77
  • Joined: 06-August 09

Re: PHP login/logout - Session unset - but still there when redirected

Posted 27 August 2014 - 03:14 AM

But woudnt my
unset($_SESSION['user']);
unset the session variable? So the if woudnt trigger on the header.php?



Even if is use
session_unset()
before the destroy, it still doesn't work.

This post has been edited by Dormilich: 27 August 2014 - 04:07 AM
Reason for edit:: removed previous quote

Was This Post Helpful? 0
  • +
  • -

#4 chris98   User is offline

  • D.I.C Lover

Reputation: 40
  • View blog
  • Posts: 1,107
  • Joined: 06-July 13

Re: PHP login/logout - Session unset - but still there when redirected

Posted 27 August 2014 - 03:59 AM

You have no form validation, so a user can enter anything into the input - this means that you are highly susceptible to SQL injection - especially seen as you are just inserting the data into the query.

Just using MySQLi doesn't mean you are no longer susceptible to SQL Injection, you need to use prepared statements to secure your queries.

MD5 is proven weak, you should use a better more secure hashing algorithm such as SHA 512.

This post has been edited by chris98: 27 August 2014 - 04:00 AM

Was This Post Helpful? 1
  • +
  • -

#5 Dormilich   User is offline

  • 痛覚残留
  • member icon

Reputation: 4208
  • View blog
  • Posts: 13,283
  • Joined: 08-June 10

Re: PHP login/logout - Session unset - but still there when redirected

Posted 27 August 2014 - 04:13 AM

session_unset() is supposed to unset variables from session_register(), whose use is (rightfully) deprecated.

the obvious way to delete content from $_SESSION is resetting it: $_SESSION = array();

View Postchris98, on 27 August 2014 - 12:59 PM, said:

MD5 is proven weak, you should use a better more secure hashing algorithm such as SHA 512.

for hashing passwords itís recommended to use bcrypt hashes via password_hash()
Was This Post Helpful? 1
  • +
  • -

#6 chris98   User is offline

  • D.I.C Lover

Reputation: 40
  • View blog
  • Posts: 1,107
  • Joined: 06-July 13

Re: PHP login/logout - Session unset - but still there when redirected

Posted 27 August 2014 - 04:15 AM

Isn't that only available in php 5.5 + though?
Was This Post Helpful? 0
  • +
  • -

#7 Dormilich   User is offline

  • 痛覚残留
  • member icon

Reputation: 4208
  • View blog
  • Posts: 13,283
  • Joined: 08-June 10

Re: PHP login/logout - Session unset - but still there when redirected

Posted 27 August 2014 - 04:17 AM

thereís a compatibility library for PHP ≥ 5.3.7
Was This Post Helpful? 0
  • +
  • -

#8 ArtificialSoldier   User is online

  • D.I.C Lover
  • member icon

Reputation: 2040
  • View blog
  • Posts: 6,256
  • Joined: 15-January 14

Re: PHP login/logout - Session unset - but still there when redirected

Posted 28 August 2014 - 09:49 AM

If you hard-code the session ID like this:

session_id('uabo6f6hb4ne5sk66ekrhhpdd1');



Then that means everyone shares the same login session. That means that you go to the site, you log in, I go to the site from another computer, and I am logged in as you because every user has the same session.
Was This Post Helpful? 1
  • +
  • -

#9 Hypermx   User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 77
  • Joined: 06-August 09

Re: PHP login/logout - Session unset - but still there when redirected

Posted 04 September 2014 - 12:58 AM

Thanks for the feedback guys.


I fixed my problem, and will also work on securing the code a bit more, using you're suggestions :)
Was This Post Helpful? 0
  • +
  • -

#10 Dormilich   User is offline

  • 痛覚残留
  • member icon

Reputation: 4208
  • View blog
  • Posts: 13,283
  • Joined: 08-June 10

Re: PHP login/logout - Session unset - but still there when redirected

Posted 04 September 2014 - 02:30 AM

your suggestions, not you're suggestions
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1