Logout Help [Sessions/Cookies]

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Logout Help [Sessions/Cookies]

Post by jayshields »

Hi.

Reet. This is my problem.

I have HTTP authentication in my application, this is in a script called login.php.

login.php:

Code: Select all

<?php

//Start the session
session_start();

//If the username session isn't set
if(!isset($_SESSION['username'])) {
	//If the submitted username and password do not match those required
	if($_SERVER['PHP_AUTH_USER'] !== SITE_USER || $_SERVER['PHP_AUTH_PW'] !== SITE_PASS) {
		//Prompt for login
		header('WWW-Authenticate: Basic realm="Wright & Shields Vehicle Management System"');

		//Show an unauthorized page if cancel is clicked
		header('HTTP/1.0 401 Unauthorized');
	} else {
		//Log the user in
		$_SESSION['username'] = $_SERVER['PHP_AUTH_USER'];
	}
}

?>
The constants used above are defined in a file called config.php. The contents are quite predictable so I won't post the code.

Anyway, pages I want to protect start like this:

index.php

Code: Select all

<?php

//Get the config
require('includes/config.php');

//Show the login
require('includes/php/login.php');

//Set the page title and include the HTML header
$page_title = 'Welcome';
include('includes/html/header.html');

//Show some jibberish introduction
echo '<b><u>' . $_SESSION['username'] . '</u>, Welcome to the Wright & Shields Vehicle Management System!</b><br />
<br />
Please navigate the system using the links at the top.<br />';

//Include the HTML footer
include('includes/html/footer.html');

?>
So, that works fine. It prompts me, I enter stuff correctly, it logs me in, and greets me appropriately.

Now, if I click logout.

logout.php

Code: Select all

<?php

//Start the session
session_start();

//Show the HTML header
echo '
<html>
	<head>
		<title>Wright & Shields Vehicle Management System: Log Out</title>
		<link rel="StyleSheet" href="includes/css/style.css" />
	</head>
	<body>
		<center>
		<a href="index.php"><img src="images/logo.jpg" border="0" alt="Wright & Shields Vehicle Management System" /></a><br />
		<br />';

//If the user is logged in
if(isset($_SESSION['username'])) {
	//Log them out
	$_SESSION = array(); //Clear the session array
	session_destroy(); //Destroy the session
	setcookie('PHPSESSID', '', time()-300, '/', '', 0); //Wipe the users cookie
	unset($_SERVER['PHP_AUTH_USER']); //Unset the username
	unset($_SERVER['PHP_AUTH_PW']); //Unset the password
	
	//Show a success msg
	echo 'You are now logged out.';
} else {
	//Show an error
	echo 'You aren\'t logged in.';
}

//Show the HTML footer
echo '
		<br />
		<br />
		<a href="index.php">Go Back</a><br />
		<br />
		&copy; Copyright <a href="http://www.wrightandshields.co.uk">Wright & Shields</a> 2006.
		</center>
	</body>
</html>';

?>
It echo's You are now logged out. Then, if I press Go Back or just type in the URL to a protected page, I'm logged in automatically! I can press log out again, and it will say you are now logged out again, and the same will happen. The only way to logout is to close the browser (...and effectively destroy the session).

I must be missing something, but I don't know what it is.

Help!!
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

The user agent may have a "remember username and pass", so it automatically goes through the login process.
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Post by jayshields »

The user agent is me, and I never ticked the Remember Username + Password option in the pop-up. I'm sure it's a problem with the code somewhere... :?
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

jayshields wrote:The user agent is me, and I never ticked the Remember Username + Password option in the pop-up. I'm sure it's a problem with the code somewhere... :?
Its a problem with the assumption. :)

HTTP_AUTH (Apache's auth) stays persistent for the user until they close their browser. The auth has already occurred, and they have a valid username, so it wont prompt them for their username again until they close their browser.

Either switch away from using http_auth, and make your own login system, or accept that "Logout" wont, until they close their browser. As far as I know, there isnt a way to invalidate an http_auth once it is successful without the user closing their browser.
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Post by jayshields »

Thanks for that, never knew that.

I don't wanna make my own login as I just wanted to make a generic login script that I can include in other apps.

I'll just scrap my Logout section.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

A simple login system is barely different to your system, instead of $_SERVER['HTTP_AUTH'] just use a POST form to enter the details, then store those in the cookie much like you are already doing :)

Logout is simply a case of clearing the cookies after that :)
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Post by jayshields »

Yeah - I know.

I'm mainly talking about the HTML form I would have to make. I wouldn't be able to just port it across websites because of the styling, but saying that, if it was totally CSS dependant then it would port across OK...

I might do it later :P
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

Isn't one of the main points of CSS that you can move code from one site to another and it changes it's style to adapt to the new site?
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Post by shiflett »

jayshields wrote:The user agent is me, and I never ticked the Remember Username + Password option in the pop-up. I'm sure it's a problem with the code somewhere... :?
User agent is a less restrictive term for browser, because browsers aren't the only HTTP clients that act on behalf of a user.

Most browsers remember the username and password used in HTTP authentication and will continue to present them for protected resources. In other words, the server is requiring authentication for every protected resource, but the browsers are authenticating automatically.

Hope that helps.
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Post by jayshields »

I understand what you're saying, but I misunderstood the term user agent. I wasn't thinking. I know what you mean, but I'm using IE6 at the moment, and there's a "Remember username and password" checkbox, which I left unchecked. As far as I'm aware, without that checked it shouldn't retain the authentication data across pages, but anyway, it's sorted now.

Thanks for all the help.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

jayshields wrote:I'm using IE6 at the moment, and there's a "Remember username and password" checkbox, which I left unchecked. As far as I'm aware, without that checked it shouldn't retain the authentication data across pages, but anyway, it's sorted now.
Two totally different things.

That checkbox controls whether IE will remember *form fields you fill out* (which just happen to usually be username and password fields).

Authentication (while usually granted based on those fields) is not the same thing. HTTP_AUTH is totally seperate from that checkbox.

As before, if you made your own login form, THEN that checkbox WOULD apply.
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Post by shiflett »

Yeah, Firefox has the same option. It is very misleading from a developer's perspective, but not from a user's perspective. They think authentication is happening only when they're prompted for a username and password.

By remembering the credentials, a browser just populates the fields the next time it would normally prompt the user - it doesn't affect when the user is prompted.
Post Reply