Solved

Admin area still accessible after logout

Posted on 2016-09-01
19
22 Views
Last Modified: 2016-09-01
I have used cookies as a "remember me" function but even after logging out and then going back to the url I can access the admin area but it should be redirecting me because I am no longer logged in.

Set the cookie:

if ($remember == "on") {
				
				setcookie('email', $email, time() + 86400, '/', null, null, true);
			}
			 
				header("Location:account.php");

Open in new window


Logout page:

session_start();
	session_destroy();
	if(isset($_COOKIE['email'])) {
	
		unset($_COOKIE['email']);
	
			setcookie('$email', '', time()- 86400);
}

			header("location:login.php");

Open in new window

0
Comment
Question by:Black Sulfur
  • 11
  • 5
  • 3
19 Comments
 
LVL 30

Expert Comment

by:Marco Gasi
ID: 41780053
Maybe you can avoid to set cookie again after having unset it:
session_start();
	session_destroy();
	if(isset($_COOKIE['email'])) {
	
		unset($_COOKIE['email']);
}
		header("location:login.php");

Open in new window


But I would like to see the code wich doesn't work: the one you have in a protected page and which should redirect the user to the login page.
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 41780057
The design patterns used in this article do not have that problem!  ;-)
https://www.experts-exchange.com/articles/2391/PHP-Client-Registration-Login-Logout-and-Easy-Access-Control.html

Check the part about Client Un-Authentication - the Logout Page
0
 

Author Comment

by:Black Sulfur
ID: 41780110
@Marco, I have a function firstly, in a functions file:

function isLoggedIn() {

	
if(isset($_SESSION['email']) || isset($_COOKIE['email'])) {
	
	return true;
	
} else {
	
	return false;
	}

}

Open in new window


Then on the actual account page I have:

<p>Hi there, <?php if(isLoggedIn()) {

			echo "You are logged in!";
	
				} else {
	
					header("location:login.php");
	
				}
				?>
				</p>
				<p><a href="logout.php">Logout?</a></p>

Open in new window


@ Ray, you sure are persistent, lol! Are you sure you aren't a salesman!? :P
0
 
LVL 30

Expert Comment

by:Marco Gasi
ID: 41780126
That's the reason why your Protected area was not so protected after the logout: The function isLoggedIn() returns true even if the cookie 'email' exists. Since in your logout function you create a new cookie 'email' immediately after having destroyed it, the function isLoggedIn() returned true.
Drop out the line where you create a new empty cookie and it will work.
0
 

Author Comment

by:Black Sulfur
ID: 41780248
Even after doing that I still have the same problem:

session_start();
	session_destroy();
	if(isset($_COOKIE['email'])) {
	
		unset($_COOKIE['email']);
	
			//setcookie('$email', '', time()- 86400, '/');
}

			header("location:login.php");

Open in new window

0
 
LVL 30

Expert Comment

by:Marco Gasi
ID: 41780268
Sorry, but Ray is usually right: in your code you were trying to make your cookie expire and this is the right way (as Ray shoes in his article).
Maybe you can try another way to do it:
session_start();
	session_destroy();
	if(isset($_COOKIE['email'])) {
	
		unset($_COOKIE['email']);
	
			setcookie('$email', null, -1, '/');
}

			header("location:login.php");

Open in new window

0
 

Author Comment

by:Black Sulfur
ID: 41780272
I have actually removed that function now and tried something else since I am not very familiar with functions.

session_start();

$hello="";

if(isset($_SESSION['email']) || isset($_COOKIE['email'])) {
	
	$hello .="Welcome to your admin area.";	
} else {
	
	header("location:index.php");
}

Open in new window


<p><?php echo $hello; ?></p>
<p><a href="logout.php">Logout?</a></p>

Open in new window

0
 

Author Comment

by:Black Sulfur
ID: 41780273
Sorry, I just posted my post and didn't realise you had posted. I will take a look at that now.
0
 

Author Comment

by:Black Sulfur
ID: 41780287
That still doesn't work. I think I am not helping by not posting full code. There could be an error somewhere else so let's try this one more time!

login:

$password = $_POST['password'];
		$email = $link->real_escape_string($_POST['email']);
		$remember = isset($_POST['remember']);
		
		$sql = "SELECT password, userID FROM `users` WHERE email = '$email' AND confirmed = 1 LIMIT 1";
		$result = $link->query($sql);
		if ($result->num_rows == 1) {
		$row = $result->fetch_assoc();
		$db_password = $row["password"];
		if(password_verify($password, $db_password)) {
			$_SESSION['email'] = $email;
			
			if ($remember == "on") {
				
				setcookie('email', $email, time() + 86400, '/', null, null, true);
			}
			 
				header("Location:account.php");
				
			} else {
				
				$error .="Could not log you in";		
				}
			
			}
		
		else {
			
			$error .= "User does not exist";
			
			}

Open in new window


Account:

session_start();

$hello="";

if(isset($_SESSION['email']) || isset($_COOKIE['email'])) {
	
	$hello .="Welcome to your admin area.";	
} else {
	
	header("location:index.php");
}

Open in new window


Logout:

session_start();
	session_destroy();
	if(isset($_COOKIE['email'])) {
	
		unset($_COOKIE['email']);
	
			setcookie('$email', null, -1, '/');
}

			header("location:login.php");

Open in new window

0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 30

Expert Comment

by:Marco Gasi
ID: 41780303
Mmmhh, Im realizing just now you are not destroying session correctly. Cookie should be removed before to call session_destroy. But in addition you have to manually empty the $_SESSION array in order to be sure (in your case) that $_SESSION['email'] be destroyed.
session_start();
$_SESSION = array();
if(isset($_COOKIE['email'])) {
	unset($_COOKIE['email']);
	setcookie('$email', null, -1, '/');
}
session_destroy();
header("location:login.php");

Open in new window

0
 

Author Comment

by:Black Sulfur
ID: 41780309
Thank you so much for your patience and for helping me.

Unfortunately that still does't work.
0
 
LVL 30

Expert Comment

by:Marco Gasi
ID: 41780323
In the page you access after the logout place this code:
echo "<pre>";
var_dump($_SESSION);
echo "</pre>";
if(isset($_COOKIE['email'])) {
    echo "Cookie still here";
}

Open in new window

0
 

Author Comment

by:Black Sulfur
ID: 41780326
Notice:  Undefined variable: _SESSION

NULL
Cookie still here
0
 

Author Comment

by:Black Sulfur
ID: 41780334
Sorry, forgot the session_start

array(0) {
}
Cookie still here
0
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 41780350
Here's the code snippet from the article, slightly modified since you don't have all the other parts that make this into a fully-functioning login system.  But you could get them all, as well as get a full explanation of the design pattern any time you want.  It's only a click away.  Really.
<?php 
error_reporting(E_ALL);
session_start();

// IF THE "REMEMBER ME" COOKIE IS SET, FORCE IT TO EXPIRE
$cookie_expires = time() - date('Z') - 86400;
if (isset($_COOKIE["email"]))
{
   setcookie("email", '', $cookie_expires, '/');
}

// CLEAR THE INFORMATION FROM THE $_SESSION ARRAY
$_SESSION = array();

// IF THE SESSION IS KEPT IN COOKIE, FORCE SESSION COOKIE TO EXPIRE
if (isset($_COOKIE[session_name()]))
{
   setcookie(session_name(), '', $cookie_expires, '/');
}

// FINALLY, TELL PHP TO ELIMINATE THE SESSION
session_destroy();
session_write_close();

// GO SOMEWHERE ELSE
header("Location: /");
exit;

Open in new window

0
 

Author Comment

by:Black Sulfur
ID: 41780361
Haha, Ray. I promise I am going to try your full solution out once I have been my own worst enemy and slugged this out. (in fact, I have already copied all the code into individual files for future use) I am just doing it the pain staking way because I at least want to try before I give in and just use your perfect code. I need to fail first. I don't know why, I just need to.
0
 

Author Comment

by:Black Sulfur
ID: 41780362
Okay, I just used the code from your last post, Ray and it of course worked! It is highly unfair that you are so smart! I am just going to look at it now to try and understand what is different and why and how it works.
0
 

Author Comment

by:Black Sulfur
ID: 41780373
At a glance, the only part I see that is really different is:

// IF THE SESSION IS KEPT IN COOKIE, FORCE SESSION COOKIE TO EXPIRE
if (isset($_COOKIE[session_name()]))
{
   setcookie(session_name(), '', $cookie_expires, '/');
}

Open in new window


However, if I comment it out, it still works and I get redirected as I should. Hmmm.
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 41780427
Some of this code is "belt and suspenders" and I got tired of having to answer questions about why the logout worked in one configuration and not in another, etc.  So I made it as reasonably sturdy as possible.  As written I am pretty sure it will be successful logging out a client under all of these circumstances:

1. The client hits "logout" then uses the browser "back" button
2. The client abandons his computer, then returns to find the PHP session is gone, but the "remember me" cookie is still there
3. The client logs out in one window, then goes to another window and tries something funny
4. The developer puts the login and logout in a modal window

If you want to read the article just for its information value, and still try to build your own code base, that might be a useful exercise.

Also, there is no such thing  as a logged-in user.  This article explains why that's true.  TL;DR: HTTP is a stateless protocol.
https://www.experts-exchange.com/articles/11271/Understanding-Client-Server-Protocols-and-Web-Applications.html
1

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Mail Not Sent 6 42
mysql Encryption with PHP 8 48
url rewrites not working in codeigniter 2 10
Insert data into database 2 12
Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
These days socially coordinated efforts have turned into a critical requirement for enterprises.
The viewer will learn how to count occurrences of each item in an array.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now