logout problem in PHP with session

Question

I'm trying to make a login and logout script for a page but for some reason its not working very well for me. it seems to work fine until I try to logout. it seems to destroy the session variables, but it still lets me view the page. heres my login code:

Code: login.php

<?php
// Use session variable on this page. This function must put on the top of page.

session_start();
////// Logout Section. Delete all session variable.
session_destroy();
$Name=$_POST['Name'];
$Pass=$_POST['Pass'];

// To protect MySQL injection (more detail about MySQL injection)

$Name = stripslashes($Name);
$Pass = stripslashes($Pass);
$Name = mysql_real_escape_string($Name);
$Pass = mysql_real_escape_string($Pass);

$sql="SELECT * FROM reg1 WHERE uname='$Name' and pass='$Pass'";
$result=mysql_query($sql);
if(mysql_num_rows($result)!='0') // If match.
{
session_register("uname"); // Craete session username.
header("location:loged.php"); // Re-direct to loged.php
exit;
}else{ // If not match.
echo '<script type="text/javascript">
        window.alert("Wrong UserName And Password");
        window.location="index.php"
        </script>';
}

 // End Login authorize check.



?>

logout.php

---

<?php

// Inialize session
session_start();

// Delete certain session
unset($_SESSION['uname']);
// Delete all session variables
session_destroy();

// Jump to login page
 header("Location: index.php?msg=Successfully Logged out");
 }


?>

thanks to every one...

Answer 1

You are setting the session, but you are not checking it any where that whether it is set or not. means you are not checking that user is logged in or not.. you need to do like this

if (!isset($_SESSION['uname'])) /*If uname not set then it is a guest*/
{
    //page contents for guest user
}
else
{
   //page for authenticated user.
}

Answer 2

session_register() is deprecated as of PHP 5.3.0. Replace:

session_register("uname"); // Craete session username.

with:

$row = mysql_fetch_assoc($result);
$_SESSION['uname'] = $row['uname'];

Log out with (replacing session_destroy() ):

////// Logout Section.
unset($_SESSION['uname']);

The final result will look like:

<?php
// Use session variable on this page. This function must put on the top of page.
session_start();

// Logout Section
if (isset($_SESSION['uname']))
    unset($_SESSION['uname']);

// Login Section
$Name=$_POST['Name'];
$Pass=$_POST['Pass'];

// To protect MySQL injection (more detail about MySQL injection)
$Name = stripslashes($Name);
$Pass = stripslashes($Pass);
$Name = mysql_real_escape_string($Name);
$Pass = mysql_real_escape_string($Pass);

$sql="SELECT * FROM reg1 WHERE uname='$Name' and pass='$Pass'";
$result=mysql_query($sql);
if(mysql_num_rows($result)!='0') // If match. {
    $row = mysql_fetch_assoc($result);
    $_SESSION['uname'] = $row['uname'];
    header("Location: loged.php"); // Re-direct to loged.php
    exit;
} else { // If not match.
    echo '<script type="text/javascript">
        window.alert("Wrong UserName And Password");
        window.location="index.php"
        </script>';
}
?>

Logout script (syntax error fixed and session_destroy(); since unnecessary):

<?php
// Inialize session
session_start();

// Delete certain session
if (isset($_SESSION['uname'])) {
    unset($_SESSION['uname']);
}

// Jump to login page
 header("Location: index.php?msg=Successfully Logged out");
?>

How to check if logged in:

session_start();
if (isset($_SESSION['uname']))
{
    // logged in
}
else
{
   // not logged in
}

Answer 3

在您只想由登录用户访问的页面中，是否检查$ _SESSION ['uname']的值？

Answer 4

I think only session_destroy(); function is good enough to log you out. You need not to unset the 'uname'. And for those pages that will come after user logged in then you must apply some session check functionality at the top of each page...

Answer 5

if uname is the value you use to validate if the user is logged you should try to put first:

session_destroy(); and then the unset($_SESSION['uname'])

I hope this works for you....