Page 1 of 1

Log out

Posted: Mon Dec 10, 2007 12:09 am
by thatsme

Code: Select all

session_start();
require_once('general/require_once.php');
$member_id=$_SESSION[member_id'];

if(empty($member_id) || (!isset($_SESSION[member_id'])))
{
    header("Location: ".WEB_URL."/login.php");
}

session_unset();
session_destroy();
$_SESSION = array();

header("Location: ".WEB_URL."/login.php");
Is this code enough for logout?

Posted: Mon Dec 10, 2007 1:11 am
by jmut
Well, putting parse errors aside... I don't think $_SESSION can be accessed after you kill the session. Just put error_reporting(E_ALL) on top..and try it out. See if wanted behaviour. In general though, this should be ok

Code: Select all

$_SESSION = array();
        if (isset($_COOKIE[session_name()])) {
            setcookie(session_name(), '', time()-42000, '/');
        }
        session_destroy();

Posted: Mon Dec 10, 2007 4:50 am
by Mordred
exit() after header('Location ...)

Posted: Tue Dec 11, 2007 1:03 am
by crystal ship
' is missing there in your $_SESSION[member_id'].

Posted: Tue Dec 11, 2007 2:39 am
by s.dot
jmut wrote:Well, putting parse errors aside... I don't think $_SESSION can be accessed after you kill the session. Just put error_reporting(E_ALL) on top..and try it out. See if wanted behaviour.
It can. Well, sessions can't be accessed, but the variable '$_SESSION' can be set to an empty array, as can any other variable. It's just not actively tied to a session at that point.

Code: Select all

$_SESSION = array();
        if (isset($_COOKIE[session_name()])) {
            setcookie(session_name(), '', time()-42000, '/');
        }
        session_destroy();
That is good. :)

And yes, quote the whole index, $_SESSION['member_id'].

And as mentioned above, definitely call exit; after header(), although from what you posted, you're not sending any headers so it should be okay in that particular circumstance.

Posted: Tue Dec 11, 2007 5:35 am
by onion2k
That seems a bit brutal to me. I prefer to keep track of what session variables my applications use, and then unset the ones I need to unset when a user logs out. Unsetting all of them is often counterproductive .. for example, I find it useful to set things like the timestamp of the first hit on the site so I can track a user's path through the site. If you just get rid of everything when they log out you'd lose that sort of information.

Plus, an idea I've just had, I think it might be useful to track an array of all the users that are used in a session. That might be a handy indicator of abuse and/or password sharing by site admin.