forms - PHP Session destroy twice?
Upon entering the "secure" page, I have an if statement asking if the user is logged in, as shown below.
This statement baffles me as the outcome of both statements are the same, but it is the only way for me to end session when refreshing page. So if I change the statement toif (!session == user) {session_destroy} else { continue with session}, refreshing the page will have the session going.
edit Theif/else statement insession.php is the one I do not understand. How can I have anif/else statement with two equal outcomes and yet receive two different outcomes in practice. As I enter my login credentials, I enter thesession.php. If I refresh, I end up back atindex.php. However, my statement claims that if I have session variables, then destroy session. If I do not have session variables, destroy session. What am I overlooking? edit
Secure pagesession.php below.
<?php
// To connection
require("includes/functions.php");
// Is the user logged in?
if(!isset($_SESSION['user'])) {
//If user not set, destroy session.
session_destroy();
header("Location: index.php");
exit();
} else {
//Here is the funky part, why have if condition with two predicted equal statements, but have two different outcomes.
// If set, destroy session.
session_destroy();
} //Then the anything below should be secure.
?>
Myfunctions.php (the included one) file is actually a connect to db with asession_start(). Thelogin_process.php page looks as follows.
<?php // Connection require_once("functions.php"); //Once form has been clicked, the submitted name reappears, but first empty. $submitted_username = ''; // IS form submitted? if(!empty($_POST['login'])) { // Find username $query = " SELECT id, username, password, salt, email FROM users WHERE username = :username "; // The parameter values $query_params = array( ':username' => $_POST['username'] ); try { // Execute the query against the database $stmt = $db->prepare($query); $result = $stmt->execute($query_params); } catch(PDOException $ex) { die("Failed to run query: " . $ex->getMessage()); } // Login bad first $login_ok = false; // Find user $row = $stmt->fetch(); if($row) { // Check password $check_password = hash('sha256', $_POST['password'] . $row['salt']); for($round = 0; $round < 65536; $round++) { $check_password = hash('sha256', $check_password . $row['salt']); } if($check_password === $row['password']) { // If match, login good. $login_ok = true; } } // If allgood session start. if($login_ok) { unset($row['salt']); unset($row['password']); //Issue here? $_SESSION['user'] = $row; // Redirect user to secret page. header("Location: session.php"); exit; } else { // Tell the user they failed $login_failed = "<p class='clear floatleft'>Login Failed.</p>"; $submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8'); } } ?>
Therequire_once inlogin_process.php is due tologin_form.php being added as an include on every page. Thus always creating asession_start();. Seelogin_form below.
<?php include('login_process.php'); ?>
<form action="" method="post">
<!-- Sign in form -->
<label>Username</label>
<input type="text" name="username" value="<?php echo $submitted_username; ?>">
<label>Password</label>
<input type="password" name="password" value="">
<input type="submit" name="login" value="Login">
<input type="submit" name="signup" value="Sign Up">
</form>
<?php if(isset($login_failed)) {
echo $login_failed;
}
?>
The form is picked up from a tutorial, please understand that I am not as of yet capable of producing such a login form rendering. I like to think that I understand the blocks of code by the comments I have created.
But I digest, I do not understand how theif/else statement insession.php can have two equal values and render differently. So any help on this particular subject would be greatly appreciated.
This question may be a duplicate, I have read so many questions regarding sessions that I feel blind to finding any help.
Thanks in advance.
Answer
Solution:
Digress
Your code is doing exactly what it is written to do. Just as you think it is.
When a user inputs their credentials and is successful in login_process.php at -
The user is redirected to session.php to have their session destroyed. Why? Because the code says that if the user has nothing in $_SESSION['user']
then destroy the session.
OTHERWISE destroy session.
So no matter what the user session is destroyed. Successful or not.
The reason you don't get redirected until a refresh is because after you log in --successfully-- your session is destroyed. Then on refresh(of the same page) you satisfy the check for
because $_SESSION['user'] no longer exists. Thus it redirects you to the homepage.
TL;DR session_destroy() cleared $_SESSION['user'] and a refresh on the same page causes user to clear first check of if statement.