broken logout function

@gameguy43Dec 21.2005

some contents of the header:

[code] //LOGIN //set the login function //make sure the pass is (md5) encrypted before passing it to the function function login($user, $pass){ //see if you can grab perms under that username and pass $result = mysql_query(“SELECT `perms` FROM `users` WHERE `username` = ‘$user’ and `pass` = ‘$pass'”) //(display a message if there is a mysql error) or die(“Error retrieving user info from the database, MYSQL said: ” . mysql_error()); //if you can grab those perms, then their login info was correct if(mysql_num_rows($result) > 0){ //set their username and perms to sessions $_SESSION[‘user’] = $user; $_SESSION[‘perms’] = mysql_result($result, 0); //set their login info to a cookie so they dont have to re-login every time they close the bowser window setcookie(“userpass”, $user . “[[[—___BREAK___—]]]” . $pass, time() + 3024000); //tell the script theyre now logged in return TRUE; } else{ //tell the script they must have entered the wrong login info return FALSE; } }

//set the logout function function logout(){ //kill their sessions $_SESSION[‘user’] = FALSE; $_SESSION[‘perms’] = FALSE; //kill the cookie with their login info setcookie(“userpass”, “” , -1); return TRUE; }

//grab the action $action = $_GET[‘action’]; //if they wanted to log out if($action == “logout”){ logout(); //tell them it all went according to plan $_SESSION[‘response’] = $_SESSION[‘response’] . “You are now logged out.” . “<br />n”; }

//if they already have a cookie with login info if($_COOKIE[‘userpass’]){ //separate the username from the pass $userpass_array = explode(“[[[—___BREAK___—]]]”, $_COOKIE[‘userpass’]); //log them in if(!login($userpass_array[0], $userpass_array[1])){ //but if their login info was wrong, kill the cookie setcookie(“userpass”, “” , -1); } }

//if theyre logged in, double check their info if($_SESSION[‘user’]){ $result = mysql_query(“SELECT * FROM `users` WHERE `username` = ‘” . $_SESSION[‘user’] . “‘”) or die(“Error getting your user info, MySQL said: ” . mysql_error()); $user_info = mysql_fetch_array($result, MYSQL_ASSOC); //as long as their account isnt frozen, theyre good if($user_info[perms] != -1 && $user_info[username]){ $_SESSION[‘user’] = $user_info[username]; $_SESSION[‘perms’] = $user_info[perms]; } //if their account became frozen or was deleted, log them out else{ logout(); } } [/code]

everything else must be good, because when i hit my logout link i DO get that “you have been successfully logged out” response, however the cookie hasnt been killed cus the page still shows my user info, no matter how many times i reload it or visit other pages. maybe i need to kill the session cookie?

to post a comment

PHP

24 Comments(s) _↴

@chazzyDec 21.2005 — #try using the session_unset() function to kill the session.

you're also passing an invalid expire date/time, so it's not setting the cookie. you can try using $_COOKIE['username'] = FALSE;

edit: also see here, as you two asked the same question within a few minutes of each other. http://www.webdeveloper.com/forum/showthread.php?t=89262

@gameguy43authorDec 21.2005 — #tried all that, and the thing u suggested on that other thread. no luck. any more ideas?

updated code:

[code=php]
 //LOGIN
 //set the login function
 //make sure the pass is (md5) encrypted before passing it to the function
 function login($user, $pass){
 //see if you can grab perms under that username and pass
 $result = mysql_query("SELECT perms FROM users WHERE username = '$user' and pass = '$pass'")
 //(display a message if there is a mysql error)
 or die("Error retrieving user info from the database, MYSQL said: "  . mysql_error());
 //if you can grab those perms, then their login info was correct
 if(mysql_num_rows($result) > 0){
 //set their username and perms to sessions
 $_SESSION['user'] = $user;
 $_SESSION['perms'] = mysql_result($result, 0);
 //set their login info to a cookie so they dont have to re-login every time they close the bowser window
 setcookie("userpass", $user . "[[[---___BREAK___---]]]" . $pass, time() + 3024000);
 //tell the script theyre now logged in
 return TRUE;
 }
 else{
 //tell the script they must have entered the wrong login info
 return FALSE;
 }
 }
 
 //set the logout function
 function logout(){
 //kill their sessions
 $_SESSION['user'] = FALSE;
 $_SESSION['perms'] = FALSE;
 $_COOKIE['user'] = FALSE;
 $_COOKIE['pass'] = FALSE;
 session_unset();
 session_destroy();
 session_start();
 //kill the cookie with their login info
 setcookie("userpass", "" , mktime(12,0,0,1, 1, 1990));
 $_SESSION['response'] = $_SESSION['response'] . "passed the logout function." . "<br />n";
 return TRUE;
 }
 
 //grab the action
 $action = $_GET['action'];
 //if they wanted to log out
 if($action == "logout"){
 logout();
 //tell them it all went according to plan
 $_SESSION['response'] = $_SESSION['response'] . "You are now logged out." . "<br />n";
 }
 
 //if they already have a cookie with login info
 if($_COOKIE['userpass']){
 //separate the username from the pass
 $userpass_array = explode("[[[---___BREAK___---]]]", $_COOKIE['userpass']);
 //log them in
 if(!login($userpass_array[0], $userpass_array[1])){
 //but if their login info was wrong, kill the cookie
 setcookie("userpass", "" , mktime(12,0,0,1, 1, 1990));
 }
 }
 
 //if theyre logged in, double check their info
 if($_SESSION['user']){
 $result = mysql_query("SELECT * FROM users WHERE username = '" . $_SESSION['user'] . "'")
 or die("Error getting your user info, MySQL said: " . mysql_error());
 $user_info = mysql_fetch_array($result, MYSQL_ASSOC);
 //as long as their account isnt frozen, theyre good
 if($user_info[perms] != -1 && $user_info[username]){
 $_SESSION['user'] = $user_info[username];
 $_SESSION['perms'] = $user_info[perms];
 }
 //if their account became frozen or was deleted, log them out
 else{
 logout();
 }
 }
 [/code]

@bathurst_guyDec 21.2005 — #I use this for my logout and havnt had any issues with it yet

[code=php]$_SESSION = array();
 session_destroy();[/code]

@gameguy43authorDec 21.2005 — #added that too, along with the ridiculous amount of other things used to kill the sessions....

just remembered, ive had problems before because php executed stuff out of order, which i find extremely stupid and annoying, but php does sometimes do it. Could that possibly be the problem here? I dont exactly see how, because if ive already killed the session and the cookie it wouldnt have anything to do those other functions with.... but im running out of ideas, and some code similar to this used to work when it was on a different page, not until i put all these functions into the header file did the logout function break (though the login funcitons till works)

@bathurst_guyDec 21.2005 — #Well maybe after you kill the session you may need to reload the page? [code=php]header("Location: ".$_SERVER['PHP_SELF']);[/code]

@gameguy43authorDec 21.2005 — #this is more complex than that, i reload the page multiple times and visit other pages... been playing with it and turns out now when i hit the link it logs me out the first time, then i go somehwere else and im logged in again. but heres the thing... if i log out like 7 times, not just in a row, but like log out, go to another page, log out, etc, then it DOES work eventually... OMFG WTF STFU!!!

why wont this work!?!?!?!?!??!?!1

@bathurst_guyDec 21.2005 — #Weird. Is the code above just included into each page?

@gameguy43authorDec 21.2005 — #yeh, its included at the top of each page

edit: ive added even more crap, heres the updated code:

[code=php]
 //LOGIN
 //set the login function
 //make sure the pass is (md5) encrypted before passing it to the function
 function login($user, $pass){
 //see if you can grab perms under that username and pass
 $result = mysql_query("SELECT perms FROM users WHERE username = '$user' and pass = '$pass'")
 //(display a message if there is a mysql error)
 or die("Error retrieving user info from the database, MYSQL said: "  . mysql_error());
 //if you can grab those perms, then their login info was correct
 if(mysql_num_rows($result) > 0){
 //set their username and perms to sessions
 $_SESSION['user'] = $user;
 $_SESSION['perms'] = mysql_result($result, 0);
 //set their login info to a cookie so they dont have to re-login every time they close the bowser window
 setcookie("userpass", $user . "[[[---___BREAK___---]]]" . $pass, time() + 3024000);
 //tell the script theyre now logged in
 return TRUE;
 }
 else{
 //tell the script they must have entered the wrong login info
 return FALSE;
 }
 }
 
 //set the logout function
 function logout(){
 //kill their sessions
 $_SESSION['user'] = FALSE;
 $_SESSION['perms'] = FALSE;
 $_COOKIE['user'] = FALSE;
 $_COOKIE['pass'] = FALSE;
 $_COOKIE['userpass'] = FALSE;
 $_SESSION = array();
 $_COOKIE = array();
 session_unset();
 session_destroy();
 session_start();
 //kill the cookie with their login info
 setcookie("userpass", "" , mktime(12,0,0,1, 1, 1990));
 $_SESSION['response'] = $_SESSION['response'] . "passed the logout function." . "<br />n";
 return TRUE;
 }
 
 //grab the action
 $action = $_GET['action'];
 //if they wanted to log out
 if($action == "logout"){
 logout();
 //tell them it all went according to plan
 $_SESSION['response'] = $_SESSION['response'] . "You are now logged out." . "<br />n";
 }
 
 //if they already have a cookie with login info
 if($_COOKIE['userpass']){
 //separate the username from the pass
 $userpass_array = explode("[[[---___BREAK___---]]]", $_COOKIE['userpass']);
 //log them in
 if(!login($userpass_array[0], $userpass_array[1])){
 //but if their login info was wrong, kill the cookie
 setcookie("userpass", "" , mktime(12,0,0,1, 1, 1990));
 }
 }
 
 //if theyre logged in, double check their info
 if($_SESSION['user']){
 $result = mysql_query("SELECT * FROM users WHERE username = '" . $_SESSION['user'] . "'")
 or die("Error getting your user info, MySQL said: " . mysql_error());
 $user_info = mysql_fetch_array($result, MYSQL_ASSOC);
 //as long as their account isnt frozen, theyre good
 if($user_info[perms] != -1 && $user_info[username]){
 $_SESSION['user'] = $user_info[username];
 $_SESSION['perms'] = $user_info[perms];
 }
 //if their account became frozen or was deleted, log them out
 else{
 logout();
 }
 }
 [/code]

@bathurst_guyDec 21.2005 — #All i can think of is that your TRUE and FALSE should all be in lowercase

@NewZealandDec 21.2005 — #Why not having a seperate logout file in this instance logout.php

[code=php]
 //link to log out with
 <a href="logout.php">Log out</a>
 
 //logout.php
 <? 
 
  session_start();
  session_destroy();
   setcookie("userpass", "" , mktime(12,0,0,1, 1, 1990)); 
  header("Location: index.php?logout=yes");//page to be redirected after logging out could use $SERVER[HTTP_REFREER]; i think
 ?>
 [/code]

@gameguy43authorDec 21.2005 — #cus i dont want to, this is more convenient for redirecting back to where they came from and plus i use this logout function later in the script in a part that needs to be on every page, so a separate page for normal logout would be a waste of code.

i have done some tests and when i comment out the bottom 2 blocks it works, so the thing that i said about php executing stuff in a weird order was right. i need nogdog to save me!

@bathurst_guyDec 21.2005 — #what if you chagne them to

if(isset($_COOKIE['userpass'])){

and

if(isset($_SESSION['user'])){

@NogDogDec 21.2005 — #I always just follow the example from the [url=http://www.php.net/session_destroy]session_destroy[/url] page:

[code=php]
 <?php
 // Initialize the session.
 // If you are using session_name("something"), don't forget it now!
 session_start();
 
 // Unset all of the session variables.
 $_SESSION = array();
 
 // If it's desired to kill the session, also delete the session cookie.
 // Note: This will destroy the session, and not just the session data!
 if (isset($_COOKIE[session_name()])) {
 setcookie(session_name(), '', time()-42000, '/');
 }
 
 // Finally, destroy the session.
 session_destroy();
 ?>
 [/code]

@gameguy43authorDec 22.2005 — #if you look in my code there i have all that stuff already. Now ive tried putting those second 2 blocks in an if statement, but that doesnt help cus it re-logs you in once you visit another page, the logout DOES work for the first page. This is really weird, somehow the cookie just isnt dying or something.... and it worked fine when i killed those second 2 blocks... im out of ideas, and this needs to be fixd. help pls!

so turns out even when i just hit logout and the page doesnt see me as logged in and stuff... the cookies arent being killed. heres the code:

<i>
 </i>//LOGIN
 //set the login function
 //make sure the pass is (md5) encrypted before passing it to the function
 function login($user, $pass){
 //see if you can grab perms under that username and pass
 $result = mysql_query("SELECT <span><code>perms</code></span> FROM <span><code>users</code></span> WHERE <span><code>username</code></span> = '$user' and <span><code>pass</code></span> = '$pass'")
 //(display a message if there is a mysql error)
 or die("Error retrieving user info from the database, MYSQL said: "  . mysql_error());
 //if you can grab those perms, then their login info was correct
 if(mysql_num_rows($result) &gt; 0){
 //set their username and perms to sessions
 $_SESSION['user'] = $user;
 $_SESSION['perms'] = mysql_result($result, 0);
 //if they dont have a cookie with login info
 if(!$_COOKIE['userpass']){
 //give em one
 setcookie("userpass", $user . "[[[---___BREAK___---]]]" . $pass, time() + 3024000);
 }
 //tell the script theyre now logged in
 return TRUE;
 }
 else{
 //tell the script they must have entered the wrong login info
 return FALSE;
 }
 }
 
 //set the logout function
 function logout(){
 //kill their sessions
 $_SESSION['user'] = FALSE;
 $_SESSION['perms'] = FALSE;
 $_SESSION = array();
 if (isset($_COOKIE[session_name()])) {
 setcookie(session_name(), '', time()-42000, '/');
 } 
 $_COOKIE = array();
 session_unset();
 session_destroy();
 session_start();
 //kill the cookie with their login info
 setcookie("userpass", "" , time() - 999999999999);
 $_SESSION['response'] = $_SESSION['response'] . " passed the logout function." . "&lt;br /&gt;n";
 return TRUE;
 }
 
 //grab the action
 $action = $_GET['action'];
 //if they wanted to log out
 if($action == "logout"){
 logout();
 //tell them it all went according to plan
 $_SESSION['response'] = $_SESSION['response'] . "You are now logged out." . "&lt;br /&gt;n";
 }
 
 else{
 
 //if they already have a cookie with login info
 if($_COOKIE['userpass']){
 //separate the username from the pass
 $userpass_array = explode("[[[---___BREAK___---]]]", $_COOKIE['userpass']);
 //log them in
 if(!login($userpass_array[0], $userpass_array[1])){
 //but if their login info was wrong, kill the cookie
 setcookie("userpass", "" , mktime(12,0,0,1, 1, 1990));
 }
 }
 
 //if theyre logged in, double check their info
 if($_SESSION['user']){
 $result = mysql_query("SELECT * FROM <span><code>users</code></span> WHERE <span><code>username</code></span> = '" . $_SESSION['user'] . "'")
 or die("Error getting your user info, MySQL said: " . mysql_error());
 $user_info = mysql_fetch_array($result, MYSQL_ASSOC);
 //as long as their account isnt frozen, theyre good
 if($user_info[perms] != -1 &amp;&amp; $user_info[username]){
 $_SESSION['user'] = $user_info[username];
 $_SESSION['perms'] = $user_info[perms];
 }
 //if their account became frozen or was deleted, log them out
 else{
 logout();
 }
 } 
 }

so it looks like even tho i put those second 2 blocks in an if (didnt bother to adjust indents) the script is still executing them, so its calling the login function and getting me new cookies! but then that doesnt make sense cus it isnt setting the sessions cus the page sees me as logged out.... maybe just for some reason it wont kill the cookies?

i dont know, this is all very weird, any ideas?

@NogDogDec 22.2005 — #I think you need a session_start() before you do anything else in the script. The $_SESSION array is not populated until then, so anything you do to it before then will get overwritten at that point. Also, the other session_*() functions won't really do anything until after you do a session_start().

@gameguy43authorDec 22.2005 — #i already have a session start earlier in the script

@NogDogDec 22.2005 — #Nope, in the last version you posted, your only session_start is more than halfway through the logout() function. Just move it to the very start of the script, outside of all the functions, and maybe you'll have more success.

@gameguy43authorDec 22.2005 — #i know, but i have a session start earlier in that script, i didnt post the whole thing cus lots of it is irrelevant and it has my db info

@NogDogDec 22.2005 — #Hmm...well, you probably should take the session_start() out of the logout function then. I don't know if that would make a difference, but it doesn't seem like a good idea.

@gameguy43authorDec 22.2005 — #fine, took it out, i just added it to satisfy some people by putting ALL the crap they threw at me suggesting resolutions to this problem. still no difference.

like ive said, if i comment out the contents of that else that arent yet properly indented, it works fine, so for some reason that stuff's being ran even though its in an else

@bathurst_guyDec 22.2005 — #did you read my last post, try changing the else statements to contain isset() as even if the value of the cookie or session variable is false, your current if statements will still return them true because you are just checking to see if they exist - not if they have a not null value

@gameguy43authorDec 22.2005 — #ok now im quite sure that thats simply an untrue statement, quite sure that a blank item is the same as 0, same as false, but of course ill humor you just in case.

edit: plus those things are in an else so it shouldnt even get looked at anyway...

nope, no difference

but were on the right track here, something needs to be changed in that else, some stuff is getting executed that shouldnt be.

@bathurst_guyDec 22.2005 — #Check this [url=http://www.webdeveloper.com/forum/showthread.php?t=88265&highlight=isset]thread[/url]

@gameguy43authorDec 22.2005 — #irrelevant, and if you look the dood had it right in the first place, his error was elsewhere, that thread is a pointless argument.

Also in #PHP _↴

Printing With PHP error handling Gallery help: read directory

Success!

Help @gameguy43 spread the word by sharing this article on Twitter...

Tweet This

broken logout function

24 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

broken logout function

24 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

24 Comments(s) _↴

Also in #PHP _↴