用户注销后仍然能够访问home.php

Question

I have a registration system on my website that takes the user to home.php once they are registered. There is a logout link on home.php and when the user clicks it, they are logged out and taken to index.php. The problem I am having is that the user is still able to access home.php after they logout.

Here is index.php

<!DOCTYPE html>
<?php

session_start();


?>
<html>

<head>



</head>


<body>


<form action="verify_registration_form.php" method="post">
<br>
<input type="username" id="user_name" name="user_name" placeholder="Username" required>
<br><br><br><br><input type="password" id="user_pass_word" name="user_pass_word" placeholder="Password" required>
<br><br><br><br><input type="email" id="user_email" name="user_email" placeholder="Email" required>
<br><br><br><br><input type="submit" class="submit_registration_form_button" id="submit_registration_form_button" name="submit_registration_form_button" value="Sign Up">

</form>


<form action="verify_login_form.php" method="post">

<input type="username" id="user_name_login" name="user_name_login" placeholder="Username" required>
<input type="password" id="user_pass_word_login" name="user_pass_word_login" placeholder="Password" required>
<input type="submit" class="submit_user_login_form_button" id="submit_user_login_form_button" name="submit_registration_form_button" value="Log In">

</form>

</body>


 </html>

Here is verify_registration_form.php

<!DOCTYPE html>
<?php

session_start();

if($_SERVER['REQUEST_METHOD'] != 'POST') {

header("Location: index.php");


}else{

$connection = mysqli_connect("localhost", "root", "", "websiteusers");

if(!$connection) {

echo "Could not connect to MYSQL database";

}

echo "Succesfully connect to MYSQL database";

$connection = mysqli_connect("localhost", "root", "", "websiteusers");
$username = mysqli_real_escape_string($connection, $_POST["user_name"]);
$userpassword = mysqli_real_escape_string($connection, $_POST["user_pass_word"]);
$hasheduserpassword = password_hash($userpassword, PASSWORD_DEFAULT);
$useremail = mysqli_real_escape_string($connection, $_POST["user_email"]);
$sql = "SELECT UserEmail FROM websiteusers WHERE UserEmail='$useremail'";
$result = mysqli_query($connection, $sql);
$row = mysqli_fetch_array($result,MYSQLI_ASSOC);



if(mysqli_num_rows($result) == 1) {

echo "That email adress is already taken. Please choose another email adress";


}else{

$query = mysqli_query($connection, "INSERT INTO websiteusers (UserName, UserPassWord, UserEmail) VALUES ('$username', '$hasheduserpassword', '$useremail')");

if($query) {

echo "You are now registered!";


$_SESSION['username'] = $username;
$_SESSION['success'] = "You are now logged in";
header("Location: home.php");



}else{

echo "Could not create new account";

}

}



}



// }





?>
<html>

<head>


</head>

<body>



</body>


</html>

Here is home.php

<!DOCTYPE html>
<?php

session_start();

if(!isset($_SESSION['username'])) {


header('Location: index.php');

}



?>
<html>

<head>


</head>


<body>

<?php

echo $_SESSION["success"];


?>

<?php if (isset($_SESSION['username'])) : ?>

<p>Welcome <?php echo $_SESSION['username']; ?>


<br><br>

<form action="logout.php" method="post">
<input type="submit" id="logoutbutton" name="logoutbutton" class="logoutbutton" value="Logout">
</form>

Here is logout.php

<!DOCTYPE html>
<?php
if(isset($_POST["logoutbutton"])) {
session_destroy();
session_unset();
unset($_SESSION['username']);
unset($_SESSION['success']);
header("Location: index.php");

}else{

}
?>
<html>
<head>


</head>
<body>
</body>
</html>

Answer 1

Change your logout.php

<?php
    if(isset($_POST["logoutbutton"])) {
        session_start();
        session_unset();
        session_destroy();
        header("Location: index.php");
    }
?>