Clicking on logout button refreshing the page in php

Question

I have created a page as index.php and added the code for login. It is working fine for me but when I click on logout button it is refreshing the page and if I am entering URL directly like localhost/sample/testing.php it's opening if I am not logged as well. User cannot access any page until he is logged in. Here is the code which I have Written. I have used static data to login because there is no database.

Index.php

<?php
 session_start();
 $userinfo = array(
            'user1'=>'password1',
            'user2'=>'password2'
            );
if(isset($_GET['logout'])) {
  $_SESSION['username'] = '';
  header('Location:  ' . $_SERVER['PHP_SELF']);
}
if(isset($_POST['username'])) {
  if($userinfo[$_POST['username']] == $_POST['password']) {
      $_SESSION['username'] = $_POST['username'];
      header("Location:  dashboard.php");
  }else {
     header("Location:  index.php");
  }
}
?>

Sidebar.php

<?php if($_SESSION['username']): ?>
<ul>
    <li class="dropdown profile_details_drop">
        <a href="#" class="dropdown-toggle" data-toggle="dropdown" aria-expanded="false">
            <div class="profile_img">
                <div class="user-name">
                    <p><a href="?logout=1">Logout</p>
                </div>
                <div class="clearfix"></div>
            </div>
        </a>
    </li>
</ul>
<?php endif; ?>

If any user is not logged in then also they are able to see the inner pages. They cannot see the page until they log in.

Answer 1

You have set $_SERVER['PHP_SELF'] . thats why it is redirecting to same page. you need to change that for eg: login.php

if(isset($_GET['logout'])) {
  unset($_SESSION['username']);// do not set it as empty, unset it
  //header('Location:  ' . $_SERVER['PHP_SELF']);//change this line to
 header('Location:  login.php');
}

and another error is in your else condition you are redirecting it to index.php which is why the non-logged in user able to see the index page.

else {
  //header("Location:  index.php");// change this to
  header('Location:  login.php');
}

NOTE: I have added login.php only for eg. redirect the non-logged in user to where you want.

Answer 2

First of all, your code should me beautified.

Second of all, you have forget to close your a href tag, thus not your $_GET statement isset is true. Therefore, by clicking the link, the page is checking again for if(isset($_POST['username'])) which is true, and you are redirected cause of your headers.

Consider of making a logout.php where you use session_destroy and session_unset and you redirect your users to login.php , for example:

logout.php:

<?php
session_start();
session_unset($_SESSION['username']);
session_unset();
session_destroy();
header('Location: login.php');
?>

Finally, consider of not using $_GET , but prefer $_POST or $_SESSION variables, only for the reason that are not visible on the URL.

Answer 3

First of all, destroy the session when you log out. And redirect it to Login Page. Suppose index.php is the login page.

 if(isset($_GET['logout'])) {
     session_start();
     session_destroy();
    header('Location: index.php');
 }

In the sidebar.php, check the session is set or not. If the session is not set means the user is not login. You can prevent them to access the page by redirecting them to login page

 <?php
 session_start();
 if (!isset($_SESSION["username"]))
{  
    header("location: index.php");
 } ?>

 <ul> <li class="dropdown profile_details_drop"> <a href="#" class="dropdown-toggle" data-toggle="dropdown" aria-expanded="false"> <div class="profile_img"> <div class="user-name"> <p> <a href="?logout=1">Logout</p> </div> <div class="clearfix"></div> </div> </a> </li> </ul> 

Answer 4

Unset the session variable in logout:

unset($_SESSION['username']);

Instead of assigning to empty string:

$_SESSION['username'] = '';