Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Admin area still accessible after logout

Posted on 2016-09-01
19
Medium Priority
?
33 Views
Last Modified: 2016-09-01
I have used cookies as a "remember me" function but even after logging out and then going back to the url I can access the admin area but it should be redirecting me because I am no longer logged in.

Set the cookie:

if ($remember == "on") {
				
				setcookie('email', $email, time() + 86400, '/', null, null, true);
			}
			 
				header("Location:account.php");

Open in new window


Logout page:

session_start();
	session_destroy();
	if(isset($_COOKIE['email'])) {
	
		unset($_COOKIE['email']);
	
			setcookie('$email', '', time()- 86400);
}

			header("location:login.php");

Open in new window

0
Comment
Question by:Black Sulfur
  • 11
  • 5
  • 3
19 Comments
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41780053
Maybe you can avoid to set cookie again after having unset it:
session_start();
	session_destroy();
	if(isset($_COOKIE['email'])) {
	
		unset($_COOKIE['email']);
}
		header("location:login.php");

Open in new window


But I would like to see the code wich doesn't work: the one you have in a protected page and which should redirect the user to the login page.
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 41780057
The design patterns used in this article do not have that problem!  ;-)
https://www.experts-exchange.com/articles/2391/PHP-Client-Registration-Login-Logout-and-Easy-Access-Control.html

Check the part about Client Un-Authentication - the Logout Page
0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41780110
@Marco, I have a function firstly, in a functions file:

function isLoggedIn() {

	
if(isset($_SESSION['email']) || isset($_COOKIE['email'])) {
	
	return true;
	
} else {
	
	return false;
	}

}

Open in new window


Then on the actual account page I have:

<p>Hi there, <?php if(isLoggedIn()) {

			echo "You are logged in!";
	
				} else {
	
					header("location:login.php");
	
				}
				?>
				</p>
				<p><a href="logout.php">Logout?</a></p>

Open in new window


@ Ray, you sure are persistent, lol! Are you sure you aren't a salesman!? :P
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41780126
That's the reason why your Protected area was not so protected after the logout: The function isLoggedIn() returns true even if the cookie 'email' exists. Since in your logout function you create a new cookie 'email' immediately after having destroyed it, the function isLoggedIn() returned true.
Drop out the line where you create a new empty cookie and it will work.
0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41780248
Even after doing that I still have the same problem:

session_start();
	session_destroy();
	if(isset($_COOKIE['email'])) {
	
		unset($_COOKIE['email']);
	
			//setcookie('$email', '', time()- 86400, '/');
}

			header("location:login.php");

Open in new window

0
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41780268
Sorry, but Ray is usually right: in your code you were trying to make your cookie expire and this is the right way (as Ray shoes in his article).
Maybe you can try another way to do it:
session_start();
	session_destroy();
	if(isset($_COOKIE['email'])) {
	
		unset($_COOKIE['email']);
	
			setcookie('$email', null, -1, '/');
}

			header("location:login.php");

Open in new window

0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41780272
I have actually removed that function now and tried something else since I am not very familiar with functions.

session_start();

$hello="";

if(isset($_SESSION['email']) || isset($_COOKIE['email'])) {
	
	$hello .="Welcome to your admin area.";	
} else {
	
	header("location:index.php");
}

Open in new window


<p><?php echo $hello; ?></p>
<p><a href="logout.php">Logout?</a></p>

Open in new window

0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41780273
Sorry, I just posted my post and didn't realise you had posted. I will take a look at that now.
0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41780287
That still doesn't work. I think I am not helping by not posting full code. There could be an error somewhere else so let's try this one more time!

login:

$password = $_POST['password'];
		$email = $link->real_escape_string($_POST['email']);
		$remember = isset($_POST['remember']);
		
		$sql = "SELECT password, userID FROM `users` WHERE email = '$email' AND confirmed = 1 LIMIT 1";
		$result = $link->query($sql);
		if ($result->num_rows == 1) {
		$row = $result->fetch_assoc();
		$db_password = $row["password"];
		if(password_verify($password, $db_password)) {
			$_SESSION['email'] = $email;
			
			if ($remember == "on") {
				
				setcookie('email', $email, time() + 86400, '/', null, null, true);
			}
			 
				header("Location:account.php");
				
			} else {
				
				$error .="Could not log you in";		
				}
			
			}
		
		else {
			
			$error .= "User does not exist";
			
			}

Open in new window


Account:

session_start();

$hello="";

if(isset($_SESSION['email']) || isset($_COOKIE['email'])) {
	
	$hello .="Welcome to your admin area.";	
} else {
	
	header("location:index.php");
}

Open in new window


Logout:

session_start();
	session_destroy();
	if(isset($_COOKIE['email'])) {
	
		unset($_COOKIE['email']);
	
			setcookie('$email', null, -1, '/');
}

			header("location:login.php");

Open in new window

0
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41780303
Mmmhh, Im realizing just now you are not destroying session correctly. Cookie should be removed before to call session_destroy. But in addition you have to manually empty the $_SESSION array in order to be sure (in your case) that $_SESSION['email'] be destroyed.
session_start();
$_SESSION = array();
if(isset($_COOKIE['email'])) {
	unset($_COOKIE['email']);
	setcookie('$email', null, -1, '/');
}
session_destroy();
header("location:login.php");

Open in new window

0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41780309
Thank you so much for your patience and for helping me.

Unfortunately that still does't work.
0
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41780323
In the page you access after the logout place this code:
echo "<pre>";
var_dump($_SESSION);
echo "</pre>";
if(isset($_COOKIE['email'])) {
    echo "Cookie still here";
}

Open in new window

0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41780326
Notice:  Undefined variable: _SESSION

NULL
Cookie still here
0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41780334
Sorry, forgot the session_start

array(0) {
}
Cookie still here
0
 
LVL 111

Accepted Solution

by:
Ray Paseur earned 2000 total points
ID: 41780350
Here's the code snippet from the article, slightly modified since you don't have all the other parts that make this into a fully-functioning login system.  But you could get them all, as well as get a full explanation of the design pattern any time you want.  It's only a click away.  Really.
<?php 
error_reporting(E_ALL);
session_start();

// IF THE "REMEMBER ME" COOKIE IS SET, FORCE IT TO EXPIRE
$cookie_expires = time() - date('Z') - 86400;
if (isset($_COOKIE["email"]))
{
   setcookie("email", '', $cookie_expires, '/');
}

// CLEAR THE INFORMATION FROM THE $_SESSION ARRAY
$_SESSION = array();

// IF THE SESSION IS KEPT IN COOKIE, FORCE SESSION COOKIE TO EXPIRE
if (isset($_COOKIE[session_name()]))
{
   setcookie(session_name(), '', $cookie_expires, '/');
}

// FINALLY, TELL PHP TO ELIMINATE THE SESSION
session_destroy();
session_write_close();

// GO SOMEWHERE ELSE
header("Location: /");
exit;

Open in new window

0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41780361
Haha, Ray. I promise I am going to try your full solution out once I have been my own worst enemy and slugged this out. (in fact, I have already copied all the code into individual files for future use) I am just doing it the pain staking way because I at least want to try before I give in and just use your perfect code. I need to fail first. I don't know why, I just need to.
0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41780362
Okay, I just used the code from your last post, Ray and it of course worked! It is highly unfair that you are so smart! I am just going to look at it now to try and understand what is different and why and how it works.
0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41780373
At a glance, the only part I see that is really different is:

// IF THE SESSION IS KEPT IN COOKIE, FORCE SESSION COOKIE TO EXPIRE
if (isset($_COOKIE[session_name()]))
{
   setcookie(session_name(), '', $cookie_expires, '/');
}

Open in new window


However, if I comment it out, it still works and I get redirected as I should. Hmmm.
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 41780427
Some of this code is "belt and suspenders" and I got tired of having to answer questions about why the logout worked in one configuration and not in another, etc.  So I made it as reasonably sturdy as possible.  As written I am pretty sure it will be successful logging out a client under all of these circumstances:

1. The client hits "logout" then uses the browser "back" button
2. The client abandons his computer, then returns to find the PHP session is gone, but the "remember me" cookie is still there
3. The client logs out in one window, then goes to another window and tries something funny
4. The developer puts the login and logout in a modal window

If you want to read the article just for its information value, and still try to build your own code base, that might be a useful exercise.

Also, there is no such thing  as a logged-in user.  This article explains why that's true.  TL;DR: HTTP is a stateless protocol.
https://www.experts-exchange.com/articles/11271/Understanding-Client-Server-Protocols-and-Web-Applications.html
1

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Things That Drive Us Nuts Have you noticed the use of the reCaptcha feature at EE and other web sites?  It wants you to read and retype something that looks like this. Insanity!  It's not EE's fault - that's just the way reCaptcha works.  But it i…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question