How to logout a user in php?

Question

I am making a login system and I just got it to work, and now I am having difficulty making a logout feature for my website. Its not actually hosted yet, so security will come later. I have tried various uses of session_destroy and unset, but i cannot get it to work. Any help would be appreciated.

My PHP

<?php
session_start();
/*This is the equivalent of login.php*/
$database = "forum";  // the name of the database.
$server = "localhost";  // server to connect to.
$db_user = "root";  // mysql username to access the database with.
$db_pass = "";  // mysql password to access the database with.
$table = "members";    // the table that this script will set up and use.
$link = mysql_connect($server, $db_user, $db_pass);
mysql_select_db($database,$link);

if (isset($_POST['fsubmitted'])) {
// Get the data passed from the form
$username = $_POST['username'];
$pass = $_POST['pass'];

// Do some basic sanitizing
$username = stripslashes($username);
$pass = stripslashes($pass);
$encryptedpass = md5($pass);

$sql = "SELECT * from members where username = '$username' and password = '$encryptedpass'";
$result = mysql_query($sql);


$count = 0;

$count = mysql_num_rows($result);

if ($count == 1) {
     $_SESSION['loggedIn'] = "true";
    header("Location: index.php"); // This is wherever you want to redirect the user to
    exit();

} else {
     $_SESSION['loggedIn'] = "false";
     echo '<div class="errormsgbox">Your username and password combo was incorrect!</div>';
     var_dump($result);
    echo $sql;
}
}

if ($_SESSION['loggedIn'] = "true") {
    echo '<div class="success">You are now logged in!</div>';
}

if (isset($_SESSION['loggedin']) && (time() - $_SESSION['loggedin'] > 1800)) {
    // last request was more than 30 minutes ago
    session_unset();     // unset $_SESSION variable for the run-time 
    session_destroy();   // destroy session data in storage
}
$_SESSION['loggedin'] = time(); // update last activity time stamp

?>

Answer 1

Use:

session_start();

With either of the following:

session_destroy();
session_unset();
unset($_SESSION["loggedin"]);
$_SESSION = array();

Answer 2

I can see two errors in your code:

• You have not started the session
• You have not told the code which session to unset/destroy

Starting the session:

Put this as the first line of your PHP code: session_start();

Logging out

Lets take a closer look at this block of code:

if (isset($_SESSION['loggedin']) && (time() - $_SESSION['loggedin'] > 1800)) {
    // last request was more than 30 minutes ago
    session_unset();     // unset $_SESSION variable for the run-time 
    session_destroy();   // destroy session data in storage
}

You have not told the code which session to unset or destroy !

To do that, you must include a session variable inside of the parentheses.

Try this code:

if (isset($_SESSION['loggedin']) && (time() - $_SESSION['loggedin'] > 1800)) {
// last request was more than 30 minutes ago
session_unset($_SESSION['loggedin']);     // unset $_SESSION variable for the run-time 
session_destroy($_SESSION['loggedin']);   // destroy session data in storage
} 

All i did was, told the code which session to unset and destroy

UPDATE
Try this instead if that didn't quite work for you.

if (isset($_SESSION['loggedin']) && (time() - $_SESSION['loggedin'] > 1800)) {
// last request was more than 30 minutes ago
unset($_SESSION['loggedin']);     // unset $_SESSION variable for the run-time 
$_SESSION['loggedin'] = "false";
} 

Another good thing to take a look at is having a logout button. This is explained here: Logout button php

I hope this helped you out, and let me know if I can be of further help!

Answer 3

In your script to log someone out, simply have:

session_start();
unset($_SESSION);
session_destroy();

You should also call session_start() at some point in your login.php you have shown above.

Answer 4

I would try using this function:

function logout(){
    if(session_id() == '') { // start session if none found
        session_start();
    }

    session_unset();         
    session_destroy();
    unset($_SESSION['loggedIn']);
}

All you need to do to use this function is call logout(); where ever you want to have the person logged out.