Page 1 of 1

Logout Help [Sessions/Cookies]

Posted: Tue Feb 07, 2006 4:17 am
by jayshields
Hi.

Reet. This is my problem.

I have HTTP authentication in my application, this is in a script called login.php.

login.php:

Code: Select all

<?php

//Start the session
session_start();

//If the username session isn't set
if(!isset($_SESSION['username'])) {
	//If the submitted username and password do not match those required
	if($_SERVER['PHP_AUTH_USER'] !== SITE_USER || $_SERVER['PHP_AUTH_PW'] !== SITE_PASS) {
		//Prompt for login
		header('WWW-Authenticate: Basic realm="Wright & Shields Vehicle Management System"');

		//Show an unauthorized page if cancel is clicked
		header('HTTP/1.0 401 Unauthorized');
	} else {
		//Log the user in
		$_SESSION['username'] = $_SERVER['PHP_AUTH_USER'];
	}
}

?>
The constants used above are defined in a file called config.php. The contents are quite predictable so I won't post the code.

Anyway, pages I want to protect start like this:

index.php

Code: Select all

<?php

//Get the config
require('includes/config.php');

//Show the login
require('includes/php/login.php');

//Set the page title and include the HTML header
$page_title = 'Welcome';
include('includes/html/header.html');

//Show some jibberish introduction
echo '<b><u>' . $_SESSION['username'] . '</u>, Welcome to the Wright & Shields Vehicle Management System!</b><br />
<br />
Please navigate the system using the links at the top.<br />';

//Include the HTML footer
include('includes/html/footer.html');

?>
So, that works fine. It prompts me, I enter stuff correctly, it logs me in, and greets me appropriately.

Now, if I click logout.

logout.php

Code: Select all

<?php

//Start the session
session_start();

//Show the HTML header
echo '
<html>
	<head>
		<title>Wright & Shields Vehicle Management System: Log Out</title>
		<link rel="StyleSheet" href="includes/css/style.css" />
	</head>
	<body>
		<center>
		<a href="index.php"><img src="images/logo.jpg" border="0" alt="Wright & Shields Vehicle Management System" /></a><br />
		<br />';

//If the user is logged in
if(isset($_SESSION['username'])) {
	//Log them out
	$_SESSION = array(); //Clear the session array
	session_destroy(); //Destroy the session
	setcookie('PHPSESSID', '', time()-300, '/', '', 0); //Wipe the users cookie
	unset($_SERVER['PHP_AUTH_USER']); //Unset the username
	unset($_SERVER['PHP_AUTH_PW']); //Unset the password
	
	//Show a success msg
	echo 'You are now logged out.';
} else {
	//Show an error
	echo 'You aren\'t logged in.';
}

//Show the HTML footer
echo '
		<br />
		<br />
		<a href="index.php">Go Back</a><br />
		<br />
		&copy; Copyright <a href="http://www.wrightandshields.co.uk">Wright & Shields</a> 2006.
		</center>
	</body>
</html>';

?>
It echo's You are now logged out. Then, if I press Go Back or just type in the URL to a protected page, I'm logged in automatically! I can press log out again, and it will say you are now logged out again, and the same will happen. The only way to logout is to close the browser (...and effectively destroy the session).

I must be missing something, but I don't know what it is.

Help!!

Posted: Tue Feb 07, 2006 5:36 am
by Jenk
The user agent may have a "remember username and pass", so it automatically goes through the login process.

Posted: Tue Feb 07, 2006 5:40 am
by jayshields
The user agent is me, and I never ticked the Remember Username + Password option in the pop-up. I'm sure it's a problem with the code somewhere... :?

Posted: Tue Feb 07, 2006 6:15 am
by Roja
jayshields wrote:The user agent is me, and I never ticked the Remember Username + Password option in the pop-up. I'm sure it's a problem with the code somewhere... :?
Its a problem with the assumption. :)

HTTP_AUTH (Apache's auth) stays persistent for the user until they close their browser. The auth has already occurred, and they have a valid username, so it wont prompt them for their username again until they close their browser.

Either switch away from using http_auth, and make your own login system, or accept that "Logout" wont, until they close their browser. As far as I know, there isnt a way to invalidate an http_auth once it is successful without the user closing their browser.

Posted: Tue Feb 07, 2006 7:08 am
by jayshields
Thanks for that, never knew that.

I don't wanna make my own login as I just wanted to make a generic login script that I can include in other apps.

I'll just scrap my Logout section.

Posted: Tue Feb 07, 2006 8:32 am
by Jenk
A simple login system is barely different to your system, instead of $_SERVER['HTTP_AUTH'] just use a POST form to enter the details, then store those in the cookie much like you are already doing :)

Logout is simply a case of clearing the cookies after that :)

Posted: Tue Feb 07, 2006 8:35 am
by jayshields
Yeah - I know.

I'm mainly talking about the HTML form I would have to make. I wouldn't be able to just port it across websites because of the styling, but saying that, if it was totally CSS dependant then it would port across OK...

I might do it later :P

Posted: Tue Feb 07, 2006 12:31 pm
by josh
Isn't one of the main points of CSS that you can move code from one site to another and it changes it's style to adapt to the new site?

Posted: Tue Feb 07, 2006 3:35 pm
by shiflett
jayshields wrote:The user agent is me, and I never ticked the Remember Username + Password option in the pop-up. I'm sure it's a problem with the code somewhere... :?
User agent is a less restrictive term for browser, because browsers aren't the only HTTP clients that act on behalf of a user.

Most browsers remember the username and password used in HTTP authentication and will continue to present them for protected resources. In other words, the server is requiring authentication for every protected resource, but the browsers are authenticating automatically.

Hope that helps.

Posted: Tue Feb 07, 2006 4:12 pm
by jayshields
I understand what you're saying, but I misunderstood the term user agent. I wasn't thinking. I know what you mean, but I'm using IE6 at the moment, and there's a "Remember username and password" checkbox, which I left unchecked. As far as I'm aware, without that checked it shouldn't retain the authentication data across pages, but anyway, it's sorted now.

Thanks for all the help.

Posted: Tue Feb 07, 2006 4:20 pm
by Roja
jayshields wrote:I'm using IE6 at the moment, and there's a "Remember username and password" checkbox, which I left unchecked. As far as I'm aware, without that checked it shouldn't retain the authentication data across pages, but anyway, it's sorted now.
Two totally different things.

That checkbox controls whether IE will remember *form fields you fill out* (which just happen to usually be username and password fields).

Authentication (while usually granted based on those fields) is not the same thing. HTTP_AUTH is totally seperate from that checkbox.

As before, if you made your own login form, THEN that checkbox WOULD apply.

Posted: Tue Feb 07, 2006 4:55 pm
by shiflett
Yeah, Firefox has the same option. It is very misleading from a developer's perspective, but not from a user's perspective. They think authentication is happening only when they're prompted for a username and password.

By remembering the credentials, a browser just populates the fields the next time it would normally prompt the user - it doesn't affect when the user is prompted.