Logout and Login is Screwy

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • DavidPr
    New Member
    • Mar 2007
    • 155
    #1

    Logout and Login is Screwy

    When I logout as one user and log in under a different user, it opens with the last user's information.

    User 1 - Unsername: Davey Jones

    User 2 - Unsername: David Smith

    I log out from Davey Jones, then login as David Smith the Welcome message below will show "Welcome Davey". And it will be Davey's information that is accessible - not David Smith's. So something is amiss but I don't know what.

    (BTW, this login script is based on the one found in Larry Ullman's book "PHP and MySQL for dynamic websites 2nd edition - Chapter13.)

    Code:
    // Welcome the user (by name if they are logged in).
echo '<h1>Welcome';
if (isset($_SESSION['first_name'])) {
	echo ", {$_SESSION['first_name']}!";
}
echo '</h1>';
    Here's what I'm trying to do. I use a functions.php page that contains my core website and I call it on every single Web page. For instance on the index.php page it'll have this at the top and bottom of the page:

    Code:
    [b]At Top of Page[/b]
<?php
ob_start();
// Initialize a session.
session_start();
$page_title = "Home";
include('includes/config.inc.php');
include('functions.php');
do_html_header($page_title);
?>

[b]At Bottom of Page[/b]
<?php
bottom();
footer();
?>
    In between the top and bottom is the content for that page.

    The login scripts are located in a folder called "members" - /mysite.com/members/login.php
    The pages in the members folder has this at the top of each page:
    Code:
    [b]At Top of Page[/b]
<?php 
include('./../includes/sess.php');
include('./../includes/config.inc.php');
include('js_functions.php');
$page_title = 'Member Control Panel';
include('./../includes/top.php');
login_check();
main_bar();
    The exception here would the index.php, register and login.php pages which would have real_login_chec k() function instead of the login_check() and main_bar() functions.

    The sess.php contains:
    Code:
    <?php
// This page begins the HTML header for the site.
// Start output buffering.
ob_start();
// Initialize a session.
session_start();
?>
    The top.php contains:
    Code:
    <?php
include("./../functions.php");
do_html_header($page_title);
echo "<h3>$page_title</h3><br>";
?>
    These php pages are located in a folder called "includes" under the root directory - /mysite.com/members/includes/sess.php
    The js_function.php page is located in the members folder.

    The js_functions.ph p contains:
    Code:
    <?php

function welcome_bar()
{
echo "
<center>
<div style='width:95%; background-color:#EAF4FF; padding:3px'>
<strong>Welcome!</strong>
</div>
</center>
<br><br>
";
}



function pages_bar()
{
echo "
<center>
<div style='width:95%; background-color:#EAF4FF; padding:3px'>
Return to <a href='main.php'><u><strong>Member Control Panel</strong></u></a>
</div>
</center>
<br><br>
";
}



function main_bar()
{
echo "
<center>
<div style='width:95%; background-color:#EAF4FF; padding:3px'>
<strong>What would you like to do?</strong>
</div>
</center>
<br><br>
";
}



function login_check()
{
// If no user_id variable exists, redirect the user.
if (!isset($_SESSION['user_id']))
{

// Start defining the URL.
$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);

// Check for a trailing slash.
if ((substr($url, -1) =='/') OR (substr($url, -1) == '\\') )
{

// Chop off the slash.
$url = substr ($url, 0, -1);
}

// Redirect to this page if not logged in.
$url .= './../members/login.php';
header("Location: $url");

// Quit the script.
exit();

}
else
{
// Welcome the user (by name if they are logged in).

if (isset($_SESSION['user_title']) && ($_SESSION['first_name']) && ($_SESSION['last_name']));
{
echo "
<p><strong>Hello:</strong> {$_SESSION['user_title']} {$_SESSION['first_name']} {$_SESSION['last_name']}</p>
";
}
}
}



function real_login_check()
{
// If user_id variable exists, redirect the user.
if (isset($_SESSION['user_id']))
{

// Start defining the URL.
$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);

// Check for a trailing slash.
if ((substr($url, -1) =='/') OR (substr($url, -1) == '\\') )
{

// Chop off the slash.
$url = substr ($url, 0, -1);
}

// Redirect to this page if not logged in.
$url .= './../members/main.php';
header("Location: $url");

// Quit the script.
exit();
}
else
{
echo "
<center>
<div style='width:95%; background-color:#EAF4FF; padding:3px'>
<strong>Welcome!</strong>
</div>
</center>
<br><br>
";
}
}
?>
    The index.php, register.php and login.php pages in the members folder are the only pages that uses the real_login_chec k(); function. If the user is logged in they will be directed to the main.php page which contains the information pertinent to them. If the person isn't logged in the login form will be displayed or the registration form in the case of register.php.

    I tried to get cute and place a login form at the top of the functions.php page to eliminate the need to first go to the member's area to log in. If the user is logged in the welcome message is displayed instead of the login form. Here is that bit of code:

    Code:
    if (isset($_SESSION['user_id']) AND (substr($_SERVER['PHP_SELF'], -10) != 'members/logout.php'))
{
echo "
<strong>Hello, {$_SESSION['user_title']} {$_SESSION['first_name']} {$_SESSION['last_name']}</strong><br />
<a href='http://www.mysite.com/members/logout.php'>Logout</a><br />
<a href='http://www.mysite.com/members/index.php'>Member Control Panel</a>
";
}
else
{
// Not logged in
echo "
<form action='http://www.mysite.com/members/login.php' method='post'>
<strong>Member Login:</strong><br />
Email Address <input type='text' name='email' size='15' maxlength='45' value=''><br />
Password <input type='password' name='pass' size='10' maxlength='20'><br />
<input type='submit' name='submit' value='Login'>
<input type='hidden' name='submitted' value='TRUE'>
</form>
<br />
<a href='http://www.mysite.com/members/register.php'>Register</a>
";
}
    I want to enable sessions for many of the pages in the root directory, so I have this at the top of each page:
    Code:
    <?php
ob_start();
// Initialize a session.
session_start();
    In the functions.php page I have the footer() function that contains this:
    Code:
    </body></html>";
ob_end_flush();
    Since the pages in the members folder also calls the functions.php page they too have the ob_end_flush() function.

    So, back to my problem of the last user "logged out" being carried over when someone else logs in. I'm not sure where the problem lies. I think I have listed everything here in this post that relates to logging in and sessions. These are the variables that are set when logging in:
    Code:
    // Register the values & redirect.
$row = mysql_fetch_array ($result, MYSQL_NUM);
mysql_free_result($result);
mysql_close(); // Close the database connection.

$_SESSION['user_id'] = $row[0];
$_SESSION['email'] = $row[1];
$_SESSION['user_title'] = $row[3];
$_SESSION['first_name'] = $row[4];
$_SESSION['last_name'] = $row[5];
$_SESSION['city'] = $row[7];
$_SESSION['stateid'] = $row[8];
    I really don't understand the -10 in the code found in the functions.php page:
    Code:
    (substr($_SERVER['PHP_SELF'], -10) != 'members/logout.php')
    Does the -10 set the logging out for 10 minutes in the past to make logging out instantaneous?

    I would like to keep the logging in feature at the top of all the pages. It's much like the one on this website and I find it quite handy. But if this is what is causing my logout and login problems, and if it can't be fixed I'll scrap it.

    Thanks for any help.
    David
    Tags: None
    • moltendorf
      New Member
      • Jul 2007
      • 65
      #2
      What is the code of your footer.php script? I don't think I see it in that massive post of yours. That's probably where your problem is occurring. It should be either destroying the session entirely, or setting all the values of PHP's superglobal $_SESSION to NULL to completely wipe the trace of the active login from the session. So if logging out only unsets one thing (the user_id) it may fool the script that the user is logged out, but the $_SESSION variable still contains all the variables.

      Maybe in your logout script add a:
      Code:
      foreach ($_SESSION as $key => $value) {$_SESSION [$key] = NULL;}
session_destroy ();
session_start ();
      If the above code is already present, posting your logout.php script would help.

      Also, someone made a comment at the PHP website that seems to provide a solution to what's wrong with your script since you stated your login and logout scrips are located in a sub directory.
      A session created with session_start will only be available to pages within the directory tree of the page that first created it.

        Comment

        • DavidPr
          New Member
          • Mar 2007
          • 155
          #3
          Massive yes, and my fingers still hurt from typing it. I didn't know how else to explain what I was trying to do and how I was trying to do it.

          I have this in the logout.php page:
          Code:
          $_SESSION = array(); // Destroy the variables.
session_destroy(); // Destroy the session itself.
setcookie (session_name(), '', time()-300, '/', '', 0); // Destroy the cookie.
          That's very interesting about the session having to remain in the directory in which it was created. Larry made no mention of this in his book. It's not sounding too good for my login script on top of all the pages.

          If a session is created in the members sub-directory, and I don't have session_start() on root directory pages (because the session isn't any good there anyway since it wasn't started there), and the user leaves the members sub-directory to view pages in root and other folders, and then goes back to the members sub-directory - will their session information still be intact or will they have to log back in again?

            Comment

            • moltendorf
              New Member
              • Jul 2007
              • 65
              #4
              I believe that if they start their session inside of the members subdirectory, their session will not persist outside of the members subdirectory.

              You mentioned a login box on the funtions.php file so they do not have to go to the members control panel; if this doesn't forward you to a file in members on the form submission, you may have two different sessions going. And when you logout in the members panel, you may be destroying that specific session, and not the one outside of it.

              I'm not too sure really. I've found that the PHP session handler is just not for my tastes. It has many quirks and other stuff; it can also "collide" with other applications on your website, even other people's websites (if you're on a shared hosting solution that has a poor setup). I, personally have always had problems with the PHP session handler's way of creating and destroying sessions that I tend to try to steer clear of it in favor of one that is controlled by a custom session handler script linked to a database.

              I will look through the code a little better on this second pass to try to further "diagnose" the problem. :)

              While you're waiting though, I suggest you try the one solution I can think of (if that comment is a good reason as to why it's not working). Try moving everything of the members directory out into the root folder.

                Comment

                • moltendorf
                  New Member
                  • Jul 2007
                  • 65
                  #5
                  I've had a slight spark of genious of my old days of using the PHP session handler...

                  It looks like it's not being fully killed (typical)

                  If logout.php doesn't stop the session entirely; kill the old one, and leave it by starting a new one with a different identifier entirely.

                  Try this in logout.php:
                  Code:
                  $_SESSION = array(); // Destroy the variables.
session_unset (); // Destroy the variables?! (It's the remedy of popping every single pill)
session_destroy(); // Destroy the session itself.
session_start (); // Re-start the session.
session_regenerate_id (); // Ensure that we get this visitor a new session identifier.
$_SESSION = array(); // Destroy the variables (again).

                    Comment

                    • DavidPr
                      New Member
                      • Mar 2007
                      • 155
                      #6
                      I may do that (move everything out of the members directory).

                      Right now, the login/logout form on the funtions.php page is linked to the main login.php form in the members directory where the actual logging in and the setting of the session takes place. Same thing for the logout link in the functions.php page:
                      Code:
                      <a href='members/logout.php.'>Logout</a>

                      custom session handler script linked to a database
                      Sounds interesting.

                        Comment

                        • moltendorf
                          New Member
                          • Jul 2007
                          • 65
                          #7
                          Yup, I posted a snapshot of my session handler here in fact (I didn't test it, I just finished writing the 800 or so lines of code, it didn't even work in that state, just produced an error, then a fatal error). My code was deleted because I broke the posting guidelines. :)

                          The current state is 7,900 lines (including the support classes it relies on), and works flawlessly.

                          You can probably find a much smaller one that conforms to your needs specifically somewhere on Google. Try that little code replacement I gave you for logout.php first, and see if all goes well.

                            Comment

                            • DavidPr
                              New Member
                              • Mar 2007
                              • 155
                              #8
                              I tried it but it still kept loggin me in as the same guy. I've just deleted all references to session outside of the members folder. I'll check that and see if it still logs me in as the same guy now. If so, then it has to have something to do with my version of PHP5+, as I running this exact login feature on other websites just fine. Those websites are on a server that uses a lower version of PHP. Or at least how my hosting company has the php.ini file setup.

                                Comment

                                • DavidPr
                                  New Member
                                  • Mar 2007
                                  • 155
                                  #9
                                  No, it's definately a compatibility issue with the version of PHP my server is running and this login script from Larry Ullman's book. It's the same login mechanism that's running fine on other websites but not this one, only thing different is the server.

                                    Comment

                                    • pbmods
                                      Recognized Expert Expert
                                      • Apr 2007
                                      • 5821
                                      #10
                                      Originally posted by DavidPr
                                      I really don't understand the -10 in the code found in the functions.php page:
                                      Code:
                                      (substr($_SERVER['PHP_SELF'], -10) != 'members/logout.php')
                                      Does the -10 set the logging out for 10 minutes in the past to make logging out instantaneous?
                                      The -10 means to start 10 characters from the *end* of the string (PHP: substr - Manual).

                                      Literally, that statement means, "If the last 10 characters of $_SERVER['PHP_SELF'] are not 'members/logout.php'..." .

                                      This statement will always evaluate to true because 'members/logout.php' is 18 characters, not 10.

                                      A better conditional would probably be:
                                      [code=php]
                                      if( ! preg_match('|me mbers/logout\\.php$|' , $_SERVER['REQUEST_URI']) )
                                      [/code]

                                      $_SERVER['REQUEST_URI'] only looks at the URI of the request and ignores querystring variables.

                                        Comment

                                        • Motoma
                                          Recognized Expert Specialist
                                          • Jan 2007
                                          • 3236
                                          #11
                                          Hi DavidPr,

                                          If you are still having difficulty with these, I would suggest checking two things: your logout handling, as well as the order that login and the welcome message are rendered.

                                          In my mind, the safest way to handle the a system logout is to clear your user and session data, destroy any open classes, and generate a new session id. A simplified example of this would be:

                                          Code:
                                          <?php
// logout.php

session_start();
session_unset();
$application->close();
session_regenerate_id();
header("Location: /");

?>
                                          This will ensure that your data is gone, and that any new session will have a new ID (staving of the potential for an old user to snoop the next user's data).

                                          A simple reason why the old user's name is being presented may be because you are calling setting the users' session variables after calling the welcome message code; that is to say you may be calling login_check before you are querying your database.

                                          An easy way to test this would be to put some simple debug echos in your code; for debugging purposes I usually put make each function echo it's name immediately when called to ensure my call order is correct.

                                          Hope this helps,
                                          Motoma

                                            Comment

                                            Previous template Next
                                            Working...