Logout Problem

Discin · September 5, 2014, 2:41am

For a website I’m developing, I have a header.html document that I include at the beginning of each PHP script. In the header, I have a login form. I use an if/else statement to display the login form for logged out users, and a logout link for logged in users. Works great with one problem. When logging out, since the header is at the beginning of logout.php, the if/else statement runs before the session is destroyed. So after logging out, the logout link is displayed rather than the login form. How do I get around this?

tpunt · September 5, 2014, 9:00am

So why not destroy the session at the top of the page that header.html is being included in? Or alternatively, you could setup a redirect upon clicking the logout link to an action handler page. This page would destroy the session and then redirect the user back to the previous page they were on.

Discin · September 5, 2014, 2:32pm

I don’t know. Why didn’t I? I was drowning in code for too long yesterday, I think I was starting to lose my mind. This worked, but it brought up a new problem. For the login form, the script I have running that form is programmed to send an error back through the URL to print on the page under the form, in the event that there is a login error. Everything works fine, except on logout. It brings up a PHP “undefined index” error. Is there another way to send the error from the login script to where the form is located, other than through the URL?

Discin · September 5, 2014, 3:04pm

I figured out a better, more secure way to pass the error from one page to the other. However, that did not eliminate the PHP “undefined index” error.

Discin · September 5, 2014, 3:39pm

What happened to my other post? Anyway, I said that I’ve destroyed the session before including the header so that works. But now I have a new problem. The form is sent to a script that sends back an error through a session variable in the event that there is a login problem. The error is then echoed on the page under the form. It all functions fine, except with the logout script. The error I send back to the original page causes the PHP to return an “undefined index” error under the login box when the logout script runs.

tpunt · September 5, 2014, 3:46pm

That error means you’re trying to access an array using an index that doesn’t exist. If you need further help with that, then post your code here.

Discin · September 5, 2014, 4:44pm

<?php

ob_start();

ini_set(‘session.use_only_cookies’, 1);
session_set_cookie_params(10800, ‘/’);

session_start();

?><!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN”
“http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<html xmlns=“http://www.w3.org/1999/xhtml” xml:lang=“en” lang=“en”>
<head>
<base href=“http://localhost/bdb/”>
<title><?php echo $page_title; ?></title>
<meta http-equiv=“content-type” content=“text/html; charset=utf-8” />
<link rel=“stylesheet” href=“includes/style.css” type=“text/css” media=“screen” />
<style type=“text/css”></style>
</head>

<body>

<div id=“banner”>
<?php

if (!isset($_SESSION[‘name’])) {

echo '<form action=“login.php” method=“post”>
<div id=“log” style=“background-color:#ffffff;height:auto;width:393px;float:right;margin:0;margin-top:1;padding:0;”>
<font color=“ff0000” size=“3”><div id=“mail” style=“float:left;”><b>Email:</b> <input type=“text” name=“email” size=“15” maxlength=“60” /></div>
<div id=“pw” style=“float:left;margin-left:2%;margin-right:2%;”> <b>Password:</b> <input type=“password” name=“login” size=“10” maxlength=“12” /></div></font>
<div align=“left”> <input type=“submit” name=“submit” value=“Login” /></div>
<input type=“hidden” name=“submitted” value=“TRUE” />

</form>';

echo $_SESSION[‘login’][‘warning’];
unset($_SESSION[‘login’][‘warning’]);

echo $_SESSION[‘login’][‘warning2’];
unset($_SESSION[‘login’][‘warning2’]);

echo '<div id=“forgot” style=“float:right;margin:0;margin-right:63px;padding:0;padding-top:2px;”><font size=“2”>Forgot Password? <a href=“forgot_password.php” title=“Reset Password”>(Click here)</a></div></font>

</div>';

}

elseif (isset($_SESSION[‘name’])) {
echo ‘<div id=“in” style=“float:right;margin:0;margin-right:0px;padding:0;padding-top:0px;”>’;

echo “Hello, {$_SESSION[‘name’]}<br />”;

echo '<a href=“change_password.php” title=“Reset Password”>Change your password</a><br />

<a href=“logout.php” title=“Logout”>Logout</a></div>';
}

?>
<h1>Some Text Here</h1>
<h2>More Text Here</h2>

<?php

if (isset($_SESSION[‘name’])) {

echo ’
<li><a href=“plans.php” title=“Plans”>Architectural Drawings</a>
<ul class=“subnav”>
<li><a href=“plans/garage.php” title=“Garage”>Garage</a></li>
<li><a href=“plans/great_room.php” title=“Great Room”>Great Room</a></li>
<li><a href=“plans/renovations.php” title=“Renovations”>Renovations</a></li>
</ul>
</li>
<li><a href=“subcontractors.php” title=“Subcontractors”>Project Contacts</a></li>
<li><a href=“webcam.php” title=“Webcam”>Live Webcam</a></li>
';
}

?>

</ul>

</div>

<!-- </div> –>

Discin · September 5, 2014, 4:48pm

Login script:

<?php

require_once (‘includes/config.inc.php’);
$page_title = ‘Login’;
include (‘includes/header.html’);

// If name session variable exists, redirect the user:
if (isset($_SESSION[‘name’])) {

$url = BASE_URL . 'index.php'; // Define the URL.
ob_end_clean(); // Delete the buffer.
header("Location: $url");
exit(); // Quit the script.

}

if (isset($_POST[‘submitted’])) {

require_once (MYSQL);

// Validate the email address:
if (!empty($_POST['email'])) {
	$email = mysqli_real_escape_string ($dbc, $_POST['email']);
} else {
		$_SESSION['login']['warning'] = 'INVALID LOGIN';
		header('Location: ' . $_SERVER['HTTP_REFERER']);
		exit;	
}

// Validate the password:
if (!empty($_POST['login'])) {
	$p = mysqli_real_escape_string ($dbc, $_POST['login']);
} else {
		$_SESSION['login']['warning'] = 'INVALID LOGIN';
		header('Location: ' . $_SERVER['HTTP_REFERER']);
		exit;	
}

if ($email && $p) { // If everything's OK.

	// Query the database:
	$q = "SELECT id, name, email, lvl FROM users WHERE (email='$email' AND login=SHA1('$p'))";		
	$r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\

<br />MySQL Error: " . mysqli_error($dbc));

	if (@mysqli_num_rows($r) == 1) { // A match was made.

		// Register the values & redirect:
		$_SESSION = mysqli_fetch_array ($r, MYSQLI_ASSOC); 
		mysqli_free_result($r);

              $q = "UPDATE users SET last_login = NOW()
                    WHERE (email='$email' AND login=SHA1('$p'))";
		$r = @mysqli_query ($dbc, $q);

		mysqli_close($dbc);
						
		$url = 'index.php'; // Define the URL:
		ob_end_clean(); // Delete the buffer.
		header("Location: $url");
		exit(); // Quit the script.
			
	} else { // No match was made.
		$_SESSION['login']['warning'] = 'INVALID LOGIN';
		header('Location: ' . $_SERVER['HTTP_REFERER']);
		exit;	
	}
	
} else { // If everything wasn't OK.
		$_SESSION['login']['warning2'] = 'Please try again';
		header('Location: ' . $_SERVER['HTTP_REFERER']);
		exit;
}

mysqli_close($dbc);

} // End of SUBMIT conditional.

else {

$url = BASE_URL . 'index.php'; // Define the URL.
ob_end_clean(); // Delete the buffer.
header("Location: $url");
exit(); // Quit the script.

}

include (‘includes/footer.html’);

?>

Discin · September 5, 2014, 4:50pm

Logout script:

<?php

$page_title = ‘Logout’;

session_start();

// If no email session variable exists, redirect the user:
if (!isset($_SESSION[‘email’])) {

$url = 'index.php'; // Define the URL.
ob_end_clean(); // Delete the buffer.
header("Location: $url");
exit(); // Quit the script.

} else { // Log out the user.

$_SESSION = array(); // Destroy the variables.
session_destroy(); // Destroy the session itself.
setcookie (session_name(), '', time()-300); // Destroy the cookies.

}

include (‘includes/header.html’);

echo ‘<h3>You are now logged out.</h3>’;

include (‘includes/footer.html’);

?>

tpunt · September 5, 2014, 6:05pm

Are the errors being generated something to do with the following lines?


echo $_SESSION['login']['warning'];
unset($_SESSION['login']['warning']);

echo $_SESSION['login']['warning2'];
unset($_SESSION['login']['warning2']);

The IF statement block (that the above four lines are included in) will be executed when the user is currently logged out. This usually means there shouldn’t be any session data, which might be why you’re receiving the undefined indexes when trying to access non-existent indexes in your $_SESSION array. I am just guessing here though, since you didn’t specifically post the full error message you are receiving (which would have contained the index name you’re attempting to access, and the line number which the warning is occurring on).

Discin · September 5, 2014, 9:25pm

Your guess is correct. That’s where the error is coming from. I already knew that though, I wasn’t wondering what was causing the error, I was wondering how to avoid it. But the strange thing is - it was only a problem when running the logout script. I could navigate the site, not logged in, and the PHP did not return an error on any other script. To fix the problem, I just did this:

if (isset($_SESSION[‘login’][‘warning’])) {
echo $_SESSION[‘login’][‘warning’];
unset($_SESSION[‘login’][‘warning’]);
}

if (isset($_SESSION[‘login’][‘warning2’])) {
echo $_SESSION[‘login’][‘warning2’];
unset($_SESSION[‘login’][‘warning2’]);
}

I don’t know why I didn’t think of that before.