• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 34
  • Last Modified:

Admin area still accessible after logout

I have used cookies as a "remember me" function but even after logging out and then going back to the url I can access the admin area but it should be redirecting me because I am no longer logged in.

Set the cookie:

if ($remember == "on") {
				
				setcookie('email', $email, time() + 86400, '/', null, null, true);
			}
			 
				header("Location:account.php");

Open in new window


Logout page:

session_start();
	session_destroy();
	if(isset($_COOKIE['email'])) {
	
		unset($_COOKIE['email']);
	
			setcookie('$email', '', time()- 86400);
}

			header("location:login.php");

Open in new window

0
Black Sulfur
Asked:
Black Sulfur
  • 11
  • 5
  • 3
1 Solution
 
Marco GasiFreelancerCommented:
Maybe you can avoid to set cookie again after having unset it:
session_start();
	session_destroy();
	if(isset($_COOKIE['email'])) {
	
		unset($_COOKIE['email']);
}
		header("location:login.php");

Open in new window


But I would like to see the code wich doesn't work: the one you have in a protected page and which should redirect the user to the login page.
0
 
Ray PaseurCommented:
The design patterns used in this article do not have that problem!  ;-)
https://www.experts-exchange.com/articles/2391/PHP-Client-Registration-Login-Logout-and-Easy-Access-Control.html

Check the part about Client Un-Authentication - the Logout Page
0
 
Black SulfurAuthor Commented:
@Marco, I have a function firstly, in a functions file:

function isLoggedIn() {

	
if(isset($_SESSION['email']) || isset($_COOKIE['email'])) {
	
	return true;
	
} else {
	
	return false;
	}

}

Open in new window


Then on the actual account page I have:

<p>Hi there, <?php if(isLoggedIn()) {

			echo "You are logged in!";
	
				} else {
	
					header("location:login.php");
	
				}
				?>
				</p>
				<p><a href="logout.php">Logout?</a></p>

Open in new window


@ Ray, you sure are persistent, lol! Are you sure you aren't a salesman!? :P
0
[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

 
Marco GasiFreelancerCommented:
That's the reason why your Protected area was not so protected after the logout: The function isLoggedIn() returns true even if the cookie 'email' exists. Since in your logout function you create a new cookie 'email' immediately after having destroyed it, the function isLoggedIn() returned true.
Drop out the line where you create a new empty cookie and it will work.
0
 
Black SulfurAuthor Commented:
Even after doing that I still have the same problem:

session_start();
	session_destroy();
	if(isset($_COOKIE['email'])) {
	
		unset($_COOKIE['email']);
	
			//setcookie('$email', '', time()- 86400, '/');
}

			header("location:login.php");

Open in new window

0
 
Marco GasiFreelancerCommented:
Sorry, but Ray is usually right: in your code you were trying to make your cookie expire and this is the right way (as Ray shoes in his article).
Maybe you can try another way to do it:
session_start();
	session_destroy();
	if(isset($_COOKIE['email'])) {
	
		unset($_COOKIE['email']);
	
			setcookie('$email', null, -1, '/');
}

			header("location:login.php");

Open in new window

0
 
Black SulfurAuthor Commented:
I have actually removed that function now and tried something else since I am not very familiar with functions.

session_start();

$hello="";

if(isset($_SESSION['email']) || isset($_COOKIE['email'])) {
	
	$hello .="Welcome to your admin area.";	
} else {
	
	header("location:index.php");
}

Open in new window


<p><?php echo $hello; ?></p>
<p><a href="logout.php">Logout?</a></p>

Open in new window

0
 
Black SulfurAuthor Commented:
Sorry, I just posted my post and didn't realise you had posted. I will take a look at that now.
0
 
Black SulfurAuthor Commented:
That still doesn't work. I think I am not helping by not posting full code. There could be an error somewhere else so let's try this one more time!

login:

$password = $_POST['password'];
		$email = $link->real_escape_string($_POST['email']);
		$remember = isset($_POST['remember']);
		
		$sql = "SELECT password, userID FROM `users` WHERE email = '$email' AND confirmed = 1 LIMIT 1";
		$result = $link->query($sql);
		if ($result->num_rows == 1) {
		$row = $result->fetch_assoc();
		$db_password = $row["password"];
		if(password_verify($password, $db_password)) {
			$_SESSION['email'] = $email;
			
			if ($remember == "on") {
				
				setcookie('email', $email, time() + 86400, '/', null, null, true);
			}
			 
				header("Location:account.php");
				
			} else {
				
				$error .="Could not log you in";		
				}
			
			}
		
		else {
			
			$error .= "User does not exist";
			
			}

Open in new window


Account:

session_start();

$hello="";

if(isset($_SESSION['email']) || isset($_COOKIE['email'])) {
	
	$hello .="Welcome to your admin area.";	
} else {
	
	header("location:index.php");
}

Open in new window


Logout:

session_start();
	session_destroy();
	if(isset($_COOKIE['email'])) {
	
		unset($_COOKIE['email']);
	
			setcookie('$email', null, -1, '/');
}

			header("location:login.php");

Open in new window

0
 
Marco GasiFreelancerCommented:
Mmmhh, Im realizing just now you are not destroying session correctly. Cookie should be removed before to call session_destroy. But in addition you have to manually empty the $_SESSION array in order to be sure (in your case) that $_SESSION['email'] be destroyed.
session_start();
$_SESSION = array();
if(isset($_COOKIE['email'])) {
	unset($_COOKIE['email']);
	setcookie('$email', null, -1, '/');
}
session_destroy();
header("location:login.php");

Open in new window

0
 
Black SulfurAuthor Commented:
Thank you so much for your patience and for helping me.

Unfortunately that still does't work.
0
 
Marco GasiFreelancerCommented:
In the page you access after the logout place this code:
echo "<pre>";
var_dump($_SESSION);
echo "</pre>";
if(isset($_COOKIE['email'])) {
    echo "Cookie still here";
}

Open in new window

0
 
Black SulfurAuthor Commented:
Notice:  Undefined variable: _SESSION

NULL
Cookie still here
0
 
Black SulfurAuthor Commented:
Sorry, forgot the session_start

array(0) {
}
Cookie still here
0
 
Ray PaseurCommented:
Here's the code snippet from the article, slightly modified since you don't have all the other parts that make this into a fully-functioning login system.  But you could get them all, as well as get a full explanation of the design pattern any time you want.  It's only a click away.  Really.
<?php 
error_reporting(E_ALL);
session_start();

// IF THE "REMEMBER ME" COOKIE IS SET, FORCE IT TO EXPIRE
$cookie_expires = time() - date('Z') - 86400;
if (isset($_COOKIE["email"]))
{
   setcookie("email", '', $cookie_expires, '/');
}

// CLEAR THE INFORMATION FROM THE $_SESSION ARRAY
$_SESSION = array();

// IF THE SESSION IS KEPT IN COOKIE, FORCE SESSION COOKIE TO EXPIRE
if (isset($_COOKIE[session_name()]))
{
   setcookie(session_name(), '', $cookie_expires, '/');
}

// FINALLY, TELL PHP TO ELIMINATE THE SESSION
session_destroy();
session_write_close();

// GO SOMEWHERE ELSE
header("Location: /");
exit;

Open in new window

0
 
Black SulfurAuthor Commented:
Haha, Ray. I promise I am going to try your full solution out once I have been my own worst enemy and slugged this out. (in fact, I have already copied all the code into individual files for future use) I am just doing it the pain staking way because I at least want to try before I give in and just use your perfect code. I need to fail first. I don't know why, I just need to.
0
 
Black SulfurAuthor Commented:
Okay, I just used the code from your last post, Ray and it of course worked! It is highly unfair that you are so smart! I am just going to look at it now to try and understand what is different and why and how it works.
0
 
Black SulfurAuthor Commented:
At a glance, the only part I see that is really different is:

// IF THE SESSION IS KEPT IN COOKIE, FORCE SESSION COOKIE TO EXPIRE
if (isset($_COOKIE[session_name()]))
{
   setcookie(session_name(), '', $cookie_expires, '/');
}

Open in new window


However, if I comment it out, it still works and I get redirected as I should. Hmmm.
0
 
Ray PaseurCommented:
Some of this code is "belt and suspenders" and I got tired of having to answer questions about why the logout worked in one configuration and not in another, etc.  So I made it as reasonably sturdy as possible.  As written I am pretty sure it will be successful logging out a client under all of these circumstances:

1. The client hits "logout" then uses the browser "back" button
2. The client abandons his computer, then returns to find the PHP session is gone, but the "remember me" cookie is still there
3. The client logs out in one window, then goes to another window and tries something funny
4. The developer puts the login and logout in a modal window

If you want to read the article just for its information value, and still try to build your own code base, that might be a useful exercise.

Also, there is no such thing  as a logged-in user.  This article explains why that's true.  TL;DR: HTTP is a stateless protocol.
https://www.experts-exchange.com/articles/11271/Understanding-Client-Server-Protocols-and-Web-Applications.html
1

Featured Post

Take Control of Web Hosting For Your Clients

As a web developer or IT admin, successfully managing multiple client accounts can be challenging. In this webinar we will look at the tools provided by Media Temple and Plesk to make managing your clients’ hosting easier.

  • 11
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now