Logout not working

fean0r

I am using the below code to logout from my site except you have to hit logout twice for it to work?

On the first attempt you get the warning "Unable to logout please try again" from my code but if you hit it again it works.

I cant see any problems with this code, any ideas?

<?
session_start();
header("Cache-control: private"); //IE 6 Fix

# Delete Cookie
setcookie ("retro_info", "", time() - 60000);

$_SESSION['loggedin'] = FALSE;
$_SESSION['username'] = FALSE;
$_SESSION['userlevel'] = FALSE;
$_SESSION['userid'] = FALSE;

session_unregister('loggedin');
session_unregister("username");
session_unregister("userlevel");
session_unregister("userid");

# Destroy Session
session_start();
$_SESSION = array();
session_destroy();

# Display Page
include ('default/header.php');
include ('default/menu.php');
include ('default/latest.php');
if($_SESSION['loggedin']){ echo "<font color='#FFFFFF' size='1' face='Verdana, Arial, Helvetica, sans-serif'>Unable to logout please try again.</font>"; }
else {
echo "<font color='#FFFFFF' size='1' face='Verdana, Arial, Helvetica, sans-serif'>You're now logged out // You will be automatically forwarded</font>";
include("default/functions.php");
$redirect="index.php?page=home";
c4redirect($redirect);
}
include ('default/footer.php');
?>

Rodney_H_

I see a problem:

You call session_start() function twice. Once at the top of the page, and once here:

Destroy Session

session_start();
$_SESSION = array();
session_destroy();

I changed that and your code seems to work for me... firefox 1.5/windows 2K.

On a side note, I personally like to use session_unset() and then session_destroy() but, like I said, yours should work.... if you tailor it by removing the second call to the session_start function ... (at least it did for me on my box)...

fean0r

Cheers

I am still having the same problem though...

The header.php might be the problem but I dont understand how!

It checks if the session exisits, if not it looks for the cookie and if that exists re-logs the person in assuming the data is correct.

But I destroy the sessions AND the cookie before I call the header.php ...

Any other ideas?

fean0r

Thats the header.php Code

# Check if Logged In
if (!$_SESSION['loggedin']) {
# Check if remember cookie is set
if (isset($_COOKIE['retro_info']) ) {
# Get Cookie Data
$cookie_info = explode("-", $_COOKIE['retro_info']);
$c4id = $cookie_info[0];
$c4pass = $cookie_info[1];
include ('default/database.php');
# Check Dat is Correct
$sql = "SELECT ID FROM members WHERE ID='$c4id' AND password='$c4pass' LIMIT 1";
if(!($result = mysql_query($sql))) die(mysql_error());
if(mysql_num_rows($result) == 1) {
$items = mysql_query("SELECT * FROM members WHERE ID='$c4id'");
$myrow = mysql_fetch_array($items);
# Set Sessions
session_register("userid");
$_SESSION['userid']=$myrow["ID"];
session_register("loggedin");
$_SESSION['loggedin'] = "Yes";
session_register("username");
$_SESSION['username'] = $_REQUEST["username"];
session_register("userlevel");
$_SESSION['userlevel'] = "4";
# Re-Set Cookie
$cookie_info=$myrow["ID"]."-".$myrow["password"];
setcookie("retro_info", "$cookie_info", time()+2592000);
}
}
}

Rodney_H_

Do you include that on every page? Seems like that is a lot of overhead if you do that on everypage the user is logged in on...

This is what I like to do, generally:

1) Check the user login info and check it against the db values

2) If there is a match, create session and cookie values as needed, confirm success to user, and redirect if needed...

3) On pages with info for logged in user only, check the session and cookie values. If they do not exist, either display an error message saying he/she must login, or redirect the user to the login page with an error code in the q-string. ex:

header("Location: http://domain.com/login?error=2");

So, To be honest, I think you can simplify what you are doing. Either that, or what you ARE doing is above my head LOL!!

fean0r

Its design that way so if people use "remember me" it logs them in automatically.

fean0r

Fixed.. for some reason the cookie did not delete until you redirected to a new pages so I modified my code not to use header.php on the logout page.

Thanks for your help.

Rodney_H_

Oh, I wish I could take credit for helping you, feanOr. But I AM glad you figured it out!

MarkR

I think that session_destroy() will not unset the contents of $_SESSION, only delete the session so it can't be used again in the future.

For the rest of the page, $SESSION persists (Unless you unset it, perhaps $SESSION = array() would do that)

Mark

Rodney_H_

Hence the suggestion to use both, session unset AND session destroy.