Session and Login

So I understand sessions and use several in my login. However, if I logout and simply click the back button I still see the secure page (which I should not see unless logged in). I know the sessions are cleared because I have a test code that prints out the sessions on same page.

I other words, the session is cleared upon logout but the page still loads…although without the critical login sessions. Any help is appreciated.

I have a form on that page. Anyone logged in completes the form and has session ID attached. Logout and you can still complete the form but it comes in the system as blank for session user…

[php]<?php

// At the top of the page check to see whether the user is logged in or not
if(empty($_SESSION['user']))
{
    // If they are not, redirect them to the login page.
    header("Location: login.php");
    
    // Remember that this die statement is absolutely critical.  Without it,
    // people can view your members-only content without logging in.
    die("Redirecting to login.php");
}

?>[/php]

I also tried the simple session start code but it didn’t work either.
[php]<?php
session_start();
?>[/php]

What is the code for logout?

Thanks.

[php]<?php
session_start();

// remove all session variables and destroy the session
session_unset();
session_destroy();

header(“location: login.php”);
?>
[/php]

Hmmm

Have to test somethings later when I have access to a web server.

Great. I appreciate that. This is my third time trying to fix this issue, including reading up in php manual. I just can’t make it work and appreciate the help.

What is the php code on the protected page that limits access to that page and if it is the 1st piece of code at the start of this thread (you didn’t specifically label what the posted code is), you likely have some other code on that page that’s causing the symptom or the code is in the incorrect location for it to be effective. In any case, you have a whole page that isn’t working as expected. It will take seeing all the code for that page to help.

Also, add var_dump($_SESSION); right before the if(empty($_SESSION[‘user’])) line to see what exactly is in the session variables. You could have non-printing/white space values that make it look like there is nothing in the session variable when echoed on the page.

Is the posted logout code the only thing on the logout page? If there’s code after that point, it could be setting the user session variable, since there is no die/exit statement in the logout code to stop program execution.

Thanks. There is only the logout code on the logout page and the code I posted is at the top of the page…and I did the vardump that is how I know the session empties. Thanks!

^^^ That didn’t address all the points/questions, so cannot eliminate the most common possibilities at this point.

Here are some more possibilities -

1. The code is actually redirecting to the login page, but the login code is setting the user session variable to something (probably a space character) and redirecting back to the protected page, which now passes the login check and runs the code on the page.

2. You have multiple sessions, due to having urls both with and without the www. host-name/sub-domain and the one you are destroying is not the one being tested by the login check code.

3. The code you have posted isn’t the actual code running on the server, either because of an upload/ftp/file save error, or you have different versions at different paths/filenames/capitalization and the correct one isn’t being used.

Ok. I am not at computer right now but can post code later. However i have a form on this page in question. The logout button clears the cookies out of the vardump on said page. However the form page still loads and allows submit…without session data. I thought that when I require a session on a page it always redirects to login if not logged in user but this is clearly not happening. I thought that simple start session code at top of page ended all further page load. Clearly not. And btw that short session start code three liner is at the top of my login page…I remember that much.

So this is the page the form is on…COULD IT BE LINE 183?

[php]<?php
session_start();
?>

        //set up values --these sessions are pulled from login
        
        $user_id=$_SESSION['user_id'];
        $firstname=$_SESSION['firstname'];
        $lastname=$_SESSION['lastname'];
        $dealer=$_SESSION['dealer'];
        $date = date("Y-m-d");
        
        $callsout=$_POST['callsout'];
        $textsout=$_POST['textsout'];
        $emailsout=$_POST['emailsout'];
        
       
        
        
      etc, etc...deleted for post here

        if( 
        $callsout!='' &&
        $textsout!='' &&
        $emailsout!='' &&
        
    
        
        
        etc, etc...deleted for post here

        ) 
        {
            $query=mysql_query("insert into tablex values
            (null,
            '".$user_id."',
            '".$date."',
            '".$firstname."',
            '".$lastname."',
            '".$dealer."',
            
           
            
         
            )") or die(mysql_error()); 
            if($query) 
            { 
               echo '<center>A new record was added to the table.</center>'; 
               echo'<center>Inserted all values</center>';
           
             {
$to = "emailaddresseshere"; // this is recipient address
$from = $_SESSION['email']; // this is sender's email address

$firstname = $_SESSION['firstname'];//from the session
$lastname = $_SESSION['lastname'];//from the session

$subject = "Daily Form Submission";
$subject2 = "Copy of your form submission";

$message = $firstname . " " . $lastname . " submitted:

Activity

".$callsout."    Calls Dialed
". $textsout."   Texts Outbound
". $emailsout."   Emails Sent



$message2 = "" . $first_name . "\n\n" .
$message = $firstname . " " . $lastname . " submitted:

 Activity
 
".$callsout."    Calls Dialed
". $textsout."   Texts Outbound
". $emailsout."   Emails Sent


$headers = $headers = 'From: t.com' . "\r\n" . 
'Reply-To: [email protected]' . "\r\n" . 
'X-Mailer: PHP/' . phpversion(); 

 $headers = $headers = 'From: tr.com' . "\r\n" . 
'Reply-To: [email protected]' . "\r\n" . 
'X-Mailer: PHP/' . phpversion(); 

$headers2 = "From:" . $to;
$headers['Cc'] = $from;
mail($to,$subject,$message,$headers,'-f [email protected]');

//Send email to all other person of same dealer type
$query = mysql_query("SELECT email FROM users WHERE access_level='1' AND dealer='".$_SESSION['dealer']."'");
if(mysql_num_rows($query)>0) {
	while($row = mysql_fetch_assoc($query)) {
		// sends a copy of the message to the sender
		mail($row['email'],$subject2,$message2,$headers2); 	
		//echo $row['email'];
	}
}





echo "<center>Mail Sent. Thank you " . $firstname . "!.</center>";
// You can also use header('Location: login.php'); to redirect to another page.
// You cannot use header and echo together. It's one or the other.
}
      
            }  
           else 
           { 
               echo'Vaules are not inserted--there is a problem.'; 
           }
        } 
       else 
       { 
            echo'Inserted all values';
           
       }
     }

?>

<title>Daily Manager Log</title>

<!-- Bootstrap core CSS -->
<link href="../../dist/css/bootstrap.min.css" rel="stylesheet">

<!-- IE10 viewport hack for Surface/desktop Windows 8 bug -->
<link href="../../assets/css/ie10-viewport-bug-workaround.css" rel="stylesheet">

<!-- Custom styles for this template -->
<link href="signin.css" rel="stylesheet">

<!-- Just for debugging purposes. Don't actually copy these 2 lines! -->
<!--[if lt IE 9]><script src="../../assets/js/ie8-responsive-file-warning.js"></script><![endif]-->
<script src="../../assets/js/ie-emulation-modes-warning.js"></script>

<!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
  <script src="https://oss.maxcdn.com/html5shiv/3.7.3/html5shiv.min.js"></script>
  <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
<![endif]-->

Logged In As:

?>

<div class="container" align="center">

  <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
      
      <center><h6><font color="orange">If you do not see your name below, you are not logged in.  Please <a href="logout_transaction.php">Log In.</a><br></font></h6></center>
      <center><font color="orange"><?php

session_start();
echo “

Logged In As:

<center><h8><font color="red">Every question must be answered or the form will not submit.  <br>The report information will be shared with management. </font></h8></center>

Outbound calls today.





Outbound texts today.





Sent emails today.

</div> <!-- /container -->


<!-- IE10 viewport hack for Surface/desktop Windows 8 bug -->
<script src="../../assets/js/ie10-viewport-bug-workaround.js"></script>

You should only be calling session_start once, and at the top of the script.

wowowowowo, why are you using removed deprecated functions?

To be honest because they worked…which functions are deprecated? I can look at changing them. Thanks.

And I took out the mid section session which was there by accident and I can still type in this page address and the form opens…not logged in. Uggh.

The code you posted in reply #9 does not contain any logic to restrict access to just logged in users. If you had a version of that code that did contain the login check code from the post at the start of this thread, it would have correctly restricted access to only logged in users (and if it by chance didn’t have a session_start() statement before it, it would have prevented access to even logged in users.)

So, either you never tried a version of the form code with the login check logic in it. or you never saved the file to wherever you are running your php code at.

I thought this restricted users to only logged in:
[php] <?php
session_start();
?>[/php]

I also tried this with no success:

[php] <?PHP
session_start();

if (!(isset($_SESSION[‘login’]) && $_SESSION[‘login’] != ‘’)) {

header (“Location: login.php”);

}

?>[/php]

It doesn’t, it only starts the session system in PHP. If you use sessions then probably every page needs to start with this.

You can easily check if the condition works. Comment out the redirect line and add die(‘redirect’) inside it. If you get a blank page with ‘redirect’ it works. If not it doesn’t. You should then try each conditional and see which one isn’t valid. ie
[php]var_dump(isset($_SESSION[‘login’]);
var_dump($_SESSION[‘login’] != ‘’);
var_dump(!(isset($_SESSION[‘login’]) && $_SESSION[‘login’] != ‘’));[/php]One hint: is the exclamation mark where you want it to be in the above conditionals?

Redirects like this should be followed with an exit so no further PHP is parsed ad no more HTML it output

I basically don’t care about the sessions since now the ‘boss’ says he wants users to be logged in for months without having to relogin. That’s cookies. So now I have to break my secure system and make some cookies to hold the login data for months. My login is below and I can’t get the cookies to set to save me. Any help is appreciated.

I know they are not set because this is on the page this page lands on after redirect and the only cookie is the email…

[php] <?php print_r( $_COOKIE ); ?>

<?php

echo "Value is: " . $_COOKIE[$first_name];

?>

[php]<?php
include_once “header.php”;
include_once “includes/login.inc.php”;

if(logged_in()) {
redirect(“admin.php”);
}
?>

        </div>     

        <div style="padding-top:30px" class="panel-body" >

            <div style="display:none" id="login-alert" class="alert alert-danger col-sm-12"></div>

            <form id="loginform" class="form-horizontal" method="post" role="form">
                <div style="margin-bottom: 25px" class="input-group">
                    <span class="input-group-addon"><i class="glyphicon glyphicon-user"></i></span>
                    <input id="email" type="text" class="form-control" name="email" value="" placeholder="Email">
                </div>
                <div style="margin-bottom: 25px" class="input-group">
                    <span class="input-group-addon"><i class="glyphicon glyphicon-lock"></i></span>
                    <input id="password" type="password" class="form-control" name="password" placeholder="Password">
                </div>
                <div class="input-group">
                    <div class="checkbox">
                        <label>
                          <input id="remember" type="checkbox" name="remember" value="1"> Remember me
                        </label>
                    </div>
                </div>

                <div style="margin-top:10px" class="form-group">
                    <div class="col-sm-4 controls">
                        <button class="btn btn-lg btn-primary btn-block" type="submit">Sign in</button>
                    </div>
                </div>
            </form> 


            <div class="form-group">
                <div class="col-md-12 control">
                    <div style="border-top: 1px solid#888; padding-top:15px; font-size:85%" >
                        Don't have an account! 
                        <a href="register.php">Sign Up Here</a>
                    </div>
                </div>
            </div>    
        </div>                     
    </div>  
</div>

$sql = "SELECT * FROM member WHERE email = '$email' AND password = '$password'";
$result = $conn->query($sql);

if ($result->num_rows == 1) {
	if (isset($_POST['remember'])) {
	    
	    	$first_name		= $_POST['first_name'];
$last_name		= $_POST['last_name'];
	    
		setcookie('email', $email, time() + 86400 *30 *30);
		setcookie('first_name', $first_name, time() + 86400 *30 *30);
		setcookie('last_name', $last_name, time() + 86400 *30 *30);
		setcookie('password', $password, time() + 86400 *30 *30);
	}

	$_SESSION['email'] = $email;

	redirect("admin.php");
	exit;
} else {
	set_message('<div class="alert alert-warning" role="alert" col-md-12"><p>Wrong username or password.</p></div>');
}

You can set session expiration time in PHP.

What Jim said. I don’t use cookies out of preference, because they are not to be relied on.

my secure system

You use md5 for passwords and and have user supplied data directly in your queries and dare to call it a “secure system”? LOL!