How to unregister Kevin Yank's Controlling Access script?

**ckchin** · Nov 10, 2003 08:01

As per article written by Kevin Yanks, titled Managing Users with PHP Sessions and MySQL Part 2: Controlling Access, at http://www.sitepoint.com/article/319/4, how can I unregister the session register?

I tried many as follows, but did't succeed.

PHP Code:


function do_Logout() {
// Initialize the session. 
// If you are using session_name("something"), don't forget it now! 
session_start(); 
// Unset all of the session variables.
unset($uid);
unset($uid);
unset($_SESSION['uid']);
unset($_SESSION['uid']);
unset($username);
unset($_SESSION["myname"]);
$_SESSION = array(); 
// Finally, destroy the session. 
session_destroy(); 
exit;
}

Thanks in advance for your help.

**rae** · Nov 10, 2003 08:26

Have you tried that?

session_unset ( );

(From php manual)
The session_unset() function frees all session variables currently registered.

Cheers!

**Gaheris** · Nov 10, 2003 09:24

If you use session_register then you have to use session_unregister. But if you use (as you should with newer PHP versions) the superglobal $_SESSION array then you unset a single session variable with unset($_SESSION['varname']) and if you want to unset them all you use $_SESSION = array()

**ckchin** · Nov 10, 2003 09:47

Below is my accesscontrol.php

PHP Code:


<?php // accesscontrol.php
error_reporting (E_ALL ^ E_NOTICE);
include_once "./common.php";
include_once "./db.php";
include_once "./functions.php";
 
session_start();
$uid = isset($_POST['uid']) ? $_POST['uid'] : $_SESSION['uid'];
$pwd = isset($_POST['pwd']) ? $_POST['pwd'] : $_SESSION['pwd'];
 
if(!isset($uid)) {
login_form();
exit;
}
 
$_SESSION['uid'] = $uid;
$_SESSION['pwd'] = $pwd;
 
dbConnect("sessions");
$sql = "SELECT * FROM user WHERE
        userid = '$uid' AND password = '$pwd'";
$result = mysql_query($sql);
if (!$result) {
error('A database error occurred while checking your '.
        'login details.\\nIf this error persists, please '.
        'contact [email="you@example.com"]you@example.com[/email].');
}
 
if (mysql_num_rows($result) == 0) {
unset($_SESSION['uid']);
unset($_SESSION['pwd']);
login_form();
exit;
}
 
$username = mysql_result($result,0,'fullname');
$_SESSION["myname"]=$username;
 
function ckdisplayname(){
//global $username;
echo "<P>";
echo "<P>";
echo "<P>";
echo $_SESSION["myname"];
echo $username; // no display
}
?>

My functions.php:

PHP Code:


<?
// functions.php
function login_form() {
global $PHP_SELF, $HTTP_REFERER, $HTTP_HOST, $REQUEST_URI;
global $uid, $pwd, $validate, $logfailed;
$listing_title="Surfmark's login form";
$msg="";
$format="";
echo '<br>';
//tableform1a($listing_title);
if ($logfailed && $uid == '') {
$msg .= "- Please fill in the uid field!<br>";
$format = "BAD";
}
if ($logfailed && $pwd == '') {
$msg .= "- Please fill in the your password field!<br>";
$format = "BAD";
}
if ($logfailed && $uid && $pwd && have_validated($uid) && incorrect_log_code($uid, $pwd)){
$msg .= "- Login failed. Please make sure your have typed in your uid and password correctly.<br>";
$format = "BAD";
}
if ($logfailed && $uid && $pwd && !have_validated($uid)){
$msg .= "- Possibility 1: There is no such uid in our database.<br>";
$msg .= "- Possibility 2: Membership has not been validated.<br>";
$format = BAD;
}
//$furl="[url="http://&quot;.$_server['http_host'].$request_uri/"]http://".$_SERVER['HTTP_HOST'].$REQUEST_URI[/url];
$furl=$_SERVER['PHP_SELF'];
//$_SERVER['REQUEST_URI']
//$furl=$HTTP_REFERER;
//$furl=$PHP_SELF;
// <FORM METHOD="POST" ACTION="<? echo $furl
?>
<FORM METHOD="POST" ACTION="<? echo $furl?>">
<table border="0" cellpadding="3" width="100%">
<tr>
    <td width="100%" align="right" height="19" colspan="3">
    <p align="left"><b><font color="#000080">Please log in to access the page 
    you requested.</font></b></td>
</tr>
<? if ($msg) { ?>
<tr>
    <td width="100%" align="right" height="19" valign="top" colspan="3">
    <p align="left"><b><font color="#FF0000">Error :</font></b><br><?=$msg;?><br>
    </td>
</tr>
<? } if ($format=="BAD" || !$logfailed) { # if format equal to BAD OR NO $logfailed ?>
<tr>
    <td width="18%" align="right" height="20">User ID</td>
    <td width="3%" align="center" height="20">:</td>
    <td width="79%" height="20" align="left">
    <input name="uid" size="20" value="<?=$uid;?>"></td>
</tr>
<tr>
    <td width="18%" align="right" height="22">Password</td>
    <td width="3%" align="center" height="22">:</td>
    <td width="79%" height="22" align="left">
    <input name="pwd" size="20" type="password" value="<?=$pwd;?>"></td>
</tr>
<tr>
    <td width="18%" align="right" height="19">Action</td>
    <td width="3%" align="center" height="19">:</td>
    <td width="79%" height="19" align="left">
    <INPUT TYPE="submit" VALUE="Login" NAME="Submit" align="left"></td>
</tr>
<tr>
    <td width="100%" height="19" valign="top" colspan="3">
</td>
</tr>
</table>
</FORM>
<?
} // ends if ($format == BAD || !$logfailed) {
} // ends login_form()
 
function do_Logout() {
// Initialize the session. 
// If you are using session_name("something"), don't forget it now! 
session_start(); 
session_unset();
// Initialize the session. 
// If you are using session_name("something"), don't forget it now! 
//session_start(); 
//unset($uid);
//unset($pwd);
// Unset all of the session variables. 
//$_SESSION = array(); 
// Finally, destroy the session. 
//session_destroy(); 
//unset($_SESSION['uid']);
//unset($_SESSION['pwd']);
}
 
?>

I use the above script to protect several scripts:

PHP Code:


<?php // protectedpage2.php
 
include 'accesscontrol.php'; 
switch($a) {
case "logout":do_logout();break;
default:
message();
break;
}
function message(){
?>
<html xmlns="[url="http://www.w3.org/1999/xhtml"]http://www.w3.org/1999/xhtml[/url]">
<head>
<title> Members-Only Page </title>
<meta http-equiv="Content-Type"
    content="text/html; charset=iso-8859-1
</head>
<body>
<p>Welcome, <?=$username?>! You have entered a members-only area
of the site. Don't you feel special?</p>
<p><a href="[url="http://localhost/accesscontrol/index.php?a=logout"]http://localhost/accesscontrol/index.php?a=logout[/url]">
[url="http://localhost/accesscontrol/index.php?a=logout</a></p"]http://localhost/accesscontrol/index.php?a=logout</a></p[/url]>
<p><a href="[url="http://localhost/accesscontrol/protectedpage3.php?a=logout"]http://localhost/accesscontrol/protectedpage3.php?a=logout[/url]">
[url="http://localhost/accesscontrol/protectedpage3.php?a=logout</a></p"]http://localhost/accesscontrol/protectedpage3.php?a=logout</a></p[/url]>
</body>
</html>
<? } ?>

PHP Code:


<?php 
// protectedpage3.php
include 'accesscontrol.php'; 
switch($a) {
case "logout":do_logout();break;
default:
message();
break;
}
function message(){
?>
<html xmlns="[url="http://www.w3.org/1999/xhtml"]http://www.w3.org/1999/xhtml[/url]">
<head>
<title> Members-Only Page </title>
<meta http-equiv="Content-Type"
    content="text/html; charset=iso-8859-1
</head>
<body>
<p>Welcome, <?=$username?>! You have entered a members-only area
of the site. Don't you feel special?</p>
<p><a href="[url="http://localhost/accesscontrol/protectedpage2.php?a=logout"]http://localhost/accesscontrol/protectedpage2.php?a=logout[/url]">
[url="http://localhost/accesscontrol/protectedpage2.php?a=logout</a></p"]http://localhost/accesscontrol/protectedpage2.php?a=logout</a></p[/url]>
<p><a href="[url="http://localhost/accesscontrol/protectedpage3.php?a=logout"]http://localhost/accesscontrol/protectedpage3.php?a=logout[/url]">
[url="http://localhost/accesscontrol/protectedpage3.php?a=logout</a></p"]http://localhost/accesscontrol/protectedpage3.php?a=logout</a></p[/url]>
</body>
</html>
<? } ?>

Tried many of them but no working ...

.
Help needed. Thanks in advance.

**Gaheris** · Nov 10, 2003 10:37

So you want to know how to log off/end a session?

PHP Code:


session_start();

$_SESSION = array();

session_destroy();

One thing I noticed in your code, you're mixing code depending on register_globals on and some newer code. Why don't you always use the superglobal arrays? So instead of having to global the variables in a function you just use $_SERVER['HTTP_HOST'].
Read this about predefined variables.

**ckchin** · Nov 10, 2003 11:03

Originally Posted by Gaheris

So you want to know how to log off/end a session?

PHP Code:


session_start();
$_SESSION = array();
session_destroy();

I did try many of these combinations in my do_Logout function, and I have no idea why non of them work.

For example your suggestion in function do_Logout

PHP Code:


function do_Logout() {

session_start();
$_SESSION = array();
session_destroy();
}

Not working

Any thing wrong with my switch?

PHP Code:


switch($a) {
  case "logout":do_logout();break;
  default:
  message();
  break;
}

**Gaheris** · Nov 10, 2003 12:59

What exactly doesn't work? Is the session still available?

**ckchin** · Nov 10, 2003 17:28

Yes, session is still available.

**rae** · Nov 10, 2003 22:15

Hi!

Hm... First... if you debug a script, don't forget to set
error_reporting(E_ALL);
This will save you a _lot_ of time when you develop/debug scripts.
Notice, that in your script it's:
error_reporting (E_ALL ^ E_NOTICE);

First change that... maybe that will show you some "invisible" bad stuff...

PHP Code:


>"Any thing wrong with my switch?"

switch($a) {
  case "logout":do_logout();break;
  default:
  message();
  break;
}

Ok... and then check your php settings with phpinfo() function. I'm not sure, because I don't know your webserver settings, but if "register_globals" is "Off" then... I think maybe your function logout() won't be called.

Because if $a is an HTTP GET variable like in this script,
and register globals is off, you'll get an error (I think just notice). And if it's a notice and _not_ error, then because of error_reporting (E_ALL ^ E_NOTICE); you won't see the problem itself.

If register globals is "Off":
You can reach your $a variable with $_GET['a'] or if you can't use $_GET because of older php version, then use $HTTP_GET_VARS['a']

If register globals is "On":
then... I think I was wrong =)

Sorry, I haven't tried the code, it's just my oppinion at the first sight.
But anyway... use of: error_reporting(E_ALL) is a good thing for debugging... don't forget! =)

PS: session stuff seems ok for me and I checked my php.ini settings about sessions... and I didn't found anything that could cause this persistent behaviour. Give it a try! =)

**ckchin** · Nov 10, 2003 23:01

Thanks rae!!!

My register globals is "Off".

Problem solved! HAVING ADDITIONAL PROBELM AGAIN!!!

PHP Code:


switch($_GET["a"]) {
case "logout":do_logout();break;
default:
message();
break;
}

After use the switch($_GET["a"]) .

Just asking, I try $HTTP_GET_VARS['a']
This one works as well!
Why? My PHP version is php-4.3.3

The $HTTP_GET_VARS was introduced in PHP version earlier than 4.1.0.
Does this mean that we can use $HTTP_GET_VARS as long as our PHP is 4.1.0 above or even future version of it, like PHP5.0, etc?

Thanks.

**rae** · Nov 11, 2003 00:16

Originally Posted by ckchin

Thanks rae!!!

My register globals is "Off".

Problem solved!
...

Just asking, I try $HTTP_GET_VARS['a']
This one works as well!
Why? My PHP version is php-4.3.3

The $HTTP_GET_VARS was introduced in PHP version earlier than 4.1.0.
Does this mean that we can use $HTTP_GET_VARS as long as our PHP is 4.1.0 above or even future version of it, like PHP5.0, etc?

Thanks.

Hm...

So my eyes aren't bad. =) Good to hear that!

(From php manual)
Predefined variables

$_GET Variables provided to the script via HTTP GET. Analogous to the old $HTTP_GET_VARS array (which is still available, but deprecated).

So...$HTTP_GET_VARS and others works for me on PHP Version 4.3.3RC1. But as in the manual, it's deprecated. Maybe they will remove it. I don't know...sorry.

I'd like to know that too. And I can't say anything about php 5, because I use an older one. But I think it will contain these variables.

And read the manual, you can learn other things about these variables...example:
these superglobals cannot be used as variable variables. And there are some words about scope of variables... It's good to know...

Cheers! =)

**ckchin** · Nov 11, 2003 14:01

After trying many of these, sessions still available!
Please refer to picture for better understanding my problem.
Thanks in advance.

Additional Question:
Just asked my web hoster, they have global setting is enabled. Question, any potential security problem when having the global setting enable?

PHP Code:


function do_Logout() {
session_start();
/*
if (isset($_POST['uid']) { 
unset($_POST['uid']); 
} else { 
unset($_SESSION['uid']); 
} 
if (isset($_POST['pwd']) { 
unset($_POST['pwd']); 
} else { 
unset($_SESSION['pwd']); 
}
*/
session_unset();
unset($_SESSION);
//unset($uid);unset($pwd);
//unset($_POST['uid']);unset($_POST['uid']);
//$_SESSION['uid'] = '';
//$_SESSION['pwd'] = '';
$_SESSION = array(); 
session_destroy(); 
login_form();
exit;
}

Picture url:
http://www.geocities.com/mrckchin/error.htm

**rae** · Nov 11, 2003 22:18

Hm... weird...
Can you attach all of the codes you've used?
I can test it on my machine... and maybe that will help.

And about the red text on the picture...
1- After clicking on the logout link, the login form processed... it's ok
2- If you click back, and you get "page expired" that's about the header things in html... it's ok
3- If you refresh with resending the data and you get a logged in status... that's bad. :P that's indicating the logout wasn't ok.
so I need the code to help more. =)

**ckchin** · Nov 12, 2003 02:13

Thanks rae,

My attachment of the said files is at the below url:

http://www.geocities.com/mrckchin/ck...pointforum.zip

Thanks in advance first.

ckchin

**ckchin** · Nov 12, 2003 22:43

up for attention.

**rae** · Nov 13, 2003 03:17

Hi!

Sadly, but same problem here... I made some correction in the code, but the browser back button thing is the same...
I think it's not your "mistake"... it's about the ~concept.

So now, I'm making a completely new login mechanism! Maybe today, I'm gonna finish it. If I'm ready with it, I'm gonna attach the sources here... ok?

I'm thinking about to write an article about that to sitepoint... but I'm not registered as a contributor...

So please be patient a bit, while I'm finishing it... I need to hurry, because I need these scripts in my work too.

)

**ckchin** · Nov 13, 2003 10:14

Thanks. Waiting to your solution.

User Tag List

Thread: How to unregister Kevin Yank's Controlling Access script?

Thread Tools

Display

unregister Kevin Yank's Controlling Access script? HAVING ADDITIONAL PROBELM AGAIN!!!

Bookmarks

Bookmarks

Posting Permissions