Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Admin area still accessible after logout

Posted on 2016-09-01
19
Medium Priority
?
32 Views
Last Modified: 2016-09-01
I have used cookies as a "remember me" function but even after logging out and then going back to the url I can access the admin area but it should be redirecting me because I am no longer logged in.

Set the cookie:

if ($remember == "on") {
				
				setcookie('email', $email, time() + 86400, '/', null, null, true);
			}
			 
				header("Location:account.php");

Open in new window


Logout page:

session_start();
	session_destroy();
	if(isset($_COOKIE['email'])) {
	
		unset($_COOKIE['email']);
	
			setcookie('$email', '', time()- 86400);
}

			header("location:login.php");

Open in new window

0
Comment
Question by:Black Sulfur
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 5
  • 3
19 Comments
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41780053
Maybe you can avoid to set cookie again after having unset it:
session_start();
	session_destroy();
	if(isset($_COOKIE['email'])) {
	
		unset($_COOKIE['email']);
}
		header("location:login.php");

Open in new window


But I would like to see the code wich doesn't work: the one you have in a protected page and which should redirect the user to the login page.
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 41780057
The design patterns used in this article do not have that problem!  ;-)
https://www.experts-exchange.com/articles/2391/PHP-Client-Registration-Login-Logout-and-Easy-Access-Control.html

Check the part about Client Un-Authentication - the Logout Page
0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41780110
@Marco, I have a function firstly, in a functions file:

function isLoggedIn() {

	
if(isset($_SESSION['email']) || isset($_COOKIE['email'])) {
	
	return true;
	
} else {
	
	return false;
	}

}

Open in new window


Then on the actual account page I have:

<p>Hi there, <?php if(isLoggedIn()) {

			echo "You are logged in!";
	
				} else {
	
					header("location:login.php");
	
				}
				?>
				</p>
				<p><a href="logout.php">Logout?</a></p>

Open in new window


@ Ray, you sure are persistent, lol! Are you sure you aren't a salesman!? :P
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41780126
That's the reason why your Protected area was not so protected after the logout: The function isLoggedIn() returns true even if the cookie 'email' exists. Since in your logout function you create a new cookie 'email' immediately after having destroyed it, the function isLoggedIn() returned true.
Drop out the line where you create a new empty cookie and it will work.
0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41780248
Even after doing that I still have the same problem:

session_start();
	session_destroy();
	if(isset($_COOKIE['email'])) {
	
		unset($_COOKIE['email']);
	
			//setcookie('$email', '', time()- 86400, '/');
}

			header("location:login.php");

Open in new window

0
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41780268
Sorry, but Ray is usually right: in your code you were trying to make your cookie expire and this is the right way (as Ray shoes in his article).
Maybe you can try another way to do it:
session_start();
	session_destroy();
	if(isset($_COOKIE['email'])) {
	
		unset($_COOKIE['email']);
	
			setcookie('$email', null, -1, '/');
}

			header("location:login.php");

Open in new window

0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41780272
I have actually removed that function now and tried something else since I am not very familiar with functions.

session_start();

$hello="";

if(isset($_SESSION['email']) || isset($_COOKIE['email'])) {
	
	$hello .="Welcome to your admin area.";	
} else {
	
	header("location:index.php");
}

Open in new window


<p><?php echo $hello; ?></p>
<p><a href="logout.php">Logout?</a></p>

Open in new window

0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41780273
Sorry, I just posted my post and didn't realise you had posted. I will take a look at that now.
0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41780287
That still doesn't work. I think I am not helping by not posting full code. There could be an error somewhere else so let's try this one more time!

login:

$password = $_POST['password'];
		$email = $link->real_escape_string($_POST['email']);
		$remember = isset($_POST['remember']);
		
		$sql = "SELECT password, userID FROM `users` WHERE email = '$email' AND confirmed = 1 LIMIT 1";
		$result = $link->query($sql);
		if ($result->num_rows == 1) {
		$row = $result->fetch_assoc();
		$db_password = $row["password"];
		if(password_verify($password, $db_password)) {
			$_SESSION['email'] = $email;
			
			if ($remember == "on") {
				
				setcookie('email', $email, time() + 86400, '/', null, null, true);
			}
			 
				header("Location:account.php");
				
			} else {
				
				$error .="Could not log you in";		
				}
			
			}
		
		else {
			
			$error .= "User does not exist";
			
			}

Open in new window


Account:

session_start();

$hello="";

if(isset($_SESSION['email']) || isset($_COOKIE['email'])) {
	
	$hello .="Welcome to your admin area.";	
} else {
	
	header("location:index.php");
}

Open in new window


Logout:

session_start();
	session_destroy();
	if(isset($_COOKIE['email'])) {
	
		unset($_COOKIE['email']);
	
			setcookie('$email', null, -1, '/');
}

			header("location:login.php");

Open in new window

0
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41780303
Mmmhh, Im realizing just now you are not destroying session correctly. Cookie should be removed before to call session_destroy. But in addition you have to manually empty the $_SESSION array in order to be sure (in your case) that $_SESSION['email'] be destroyed.
session_start();
$_SESSION = array();
if(isset($_COOKIE['email'])) {
	unset($_COOKIE['email']);
	setcookie('$email', null, -1, '/');
}
session_destroy();
header("location:login.php");

Open in new window

0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41780309
Thank you so much for your patience and for helping me.

Unfortunately that still does't work.
0
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41780323
In the page you access after the logout place this code:
echo "<pre>";
var_dump($_SESSION);
echo "</pre>";
if(isset($_COOKIE['email'])) {
    echo "Cookie still here";
}

Open in new window

0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41780326
Notice:  Undefined variable: _SESSION

NULL
Cookie still here
0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41780334
Sorry, forgot the session_start

array(0) {
}
Cookie still here
0
 
LVL 111

Accepted Solution

by:
Ray Paseur earned 2000 total points
ID: 41780350
Here's the code snippet from the article, slightly modified since you don't have all the other parts that make this into a fully-functioning login system.  But you could get them all, as well as get a full explanation of the design pattern any time you want.  It's only a click away.  Really.
<?php 
error_reporting(E_ALL);
session_start();

// IF THE "REMEMBER ME" COOKIE IS SET, FORCE IT TO EXPIRE
$cookie_expires = time() - date('Z') - 86400;
if (isset($_COOKIE["email"]))
{
   setcookie("email", '', $cookie_expires, '/');
}

// CLEAR THE INFORMATION FROM THE $_SESSION ARRAY
$_SESSION = array();

// IF THE SESSION IS KEPT IN COOKIE, FORCE SESSION COOKIE TO EXPIRE
if (isset($_COOKIE[session_name()]))
{
   setcookie(session_name(), '', $cookie_expires, '/');
}

// FINALLY, TELL PHP TO ELIMINATE THE SESSION
session_destroy();
session_write_close();

// GO SOMEWHERE ELSE
header("Location: /");
exit;

Open in new window

0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41780361
Haha, Ray. I promise I am going to try your full solution out once I have been my own worst enemy and slugged this out. (in fact, I have already copied all the code into individual files for future use) I am just doing it the pain staking way because I at least want to try before I give in and just use your perfect code. I need to fail first. I don't know why, I just need to.
0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41780362
Okay, I just used the code from your last post, Ray and it of course worked! It is highly unfair that you are so smart! I am just going to look at it now to try and understand what is different and why and how it works.
0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41780373
At a glance, the only part I see that is really different is:

// IF THE SESSION IS KEPT IN COOKIE, FORCE SESSION COOKIE TO EXPIRE
if (isset($_COOKIE[session_name()]))
{
   setcookie(session_name(), '', $cookie_expires, '/');
}

Open in new window


However, if I comment it out, it still works and I get redirected as I should. Hmmm.
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 41780427
Some of this code is "belt and suspenders" and I got tired of having to answer questions about why the logout worked in one configuration and not in another, etc.  So I made it as reasonably sturdy as possible.  As written I am pretty sure it will be successful logging out a client under all of these circumstances:

1. The client hits "logout" then uses the browser "back" button
2. The client abandons his computer, then returns to find the PHP session is gone, but the "remember me" cookie is still there
3. The client logs out in one window, then goes to another window and tries something funny
4. The developer puts the login and logout in a modal window

If you want to read the article just for its information value, and still try to build your own code base, that might be a useful exercise.

Also, there is no such thing  as a logged-in user.  This article explains why that's true.  TL;DR: HTTP is a stateless protocol.
https://www.experts-exchange.com/articles/11271/Understanding-Client-Server-Protocols-and-Web-Applications.html
1

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Popularity Can Be Measured Sometimes we deal with questions of popularity, and we need a way to collect opinions from our clients.  This article shows a simple teaching example of how we might elect a favorite color by letting our clients vote for …
This article discusses four methods for overlaying images in a container on a web page
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question