Logout code

do not indicate session start at logout.php

<?php session_destroy();
header('Location: localhost\yoursite\index.php');
?>

there's no exit(). and yet.. Location attribute file path is syntactically error

The session has to be started, otherwise the browser will never know which session to destroy. You can use this code;

<?php
session_start();

session_destroy();
header('Location: index.php');
?>

Your code should work, as you have a redirect in logout.php, which means that if you were to press backspace after you've been redirected, you would end up in logout.php again, which would redirect you to index.php :o.

I tested your code on my server and it works OK. Clicking on Back button always brings me to index.php. Make sure you have no html before the code you posted (not even a space). If you have any html before a header() function, the function will not work.

try adding unset($_SESSION); after session_start()

try adding unset($_SESSION); after session_start()

I wouldn't recommend that. See note here. This will disable the registering of session variables through the $_SESSION superglobal.

The whole idea behind the logout code is to simply tell the browser that your time has expired. Therefore the session_destroy() should work fine!!

Also have a look at Example 1 on PHP.net session_destroy page:

http://php.net/manual/en/function.session-destroy.php

Tried everything you all said. But still not working for me :/

remove the session unset since session destroy will also unset it directly

remove session unset..

Done, still no changes... :( i don't know what i'm doing wrong. It's not even a lengthy code :/

session_write_close();

Write this after your session_destroy..

I guess your problem is not the session unsetting at all but the HTTP header is not redirecting as you are expecting. Can you post the whole logout.php and how you get to it (e.g. by clicking a link).

broj1 was right post your code here along with the session variables. otherwise session variables are not working to your browser on some sort, but that is less than 0% of probability

This is probably the result of the browser showing you a cached copy of the previous (Profile) page and not actually resending the request to the server. Let me ask, ony our profile page, are you definitely checking if a user is logged in (By checking the session) and then redirecting to your homepage if not? Your logout script seems perfectly fine, so I would assume the issue if on your profile page or your browser is caching the previous page. Try logging out, hitting back on your browser and then refreshing the profile page.

bops was right I never thought of it that Cache can be connived with this problem, clear the cache. I suppose you set some cookie variables along with these caches. Clear history could be a helpful thing and see what happens

I have not put any other piece of code in my logout.php excepting this (which is the latest version after making all the changes as you all said.). One error in the code posted before is that index is an html file and not a .php file. Does it make a difference?

<?php
session_start();
session_unset();
session_destroy();
header('Location: index.html');
exit();
?>

And i have a link leading to it: <a href="logout.php">Logout</a>

I have the following code in my login file after i check if only 1 row was returned when the entries from the form matched with the db:

$user=$_POST['uname'];
        $pwd=$_POST['password'];
        session_start();
        session_register("user");
        if(!isset($_POST['user']))
        {
            $_SESSION['user'] = $user;
                    $_SESSION['pwd'] = $pwd;
                }

And no, i'm not checking if a user is already logged in or not.

I refreshed the page after pressing backspace, keeps me on the same profile page.

I'm sincerely sorry if i've written/said something stupid, i'm just a beginner and coding using php for the very first time. Kindly let me know if i need to make changes in my login/logout files. Thanks!

If you want to send the user to the homepage when they are not logged in, you will need to check to see if someone is logged in on every page you want this to happen. If someone needs to be logged in to see this profile page you will need to check the session for a logged in user and then redirect them to the homepage if no one is logged in.

<?php
session_start();
if (!isset($_SESSION["username"])) {
    header("Location: index.php");
}

// Rest of your page here.
?>

The above is a short example of what kind of code you should have on your "login required" pages.

Okay. I'll put it in my files. And how do i get the logout code working? Will this checking that you mentioned above (i.e. if a user is logged in already or not) do it for me?

Yes, the log out code looks to be working fine at first glance. The login system would normally work in that, you check on each "login required" page if a user is logged in, if they are, display the page, if not redirect them somewhere to log in or wherever you want. The login script would create a session containing details specific to the logged in user, like the user id, username or something like that (There's actually a lot more to it with security etc but this is just basic). This means that when the user visits a "login required" page it will see that they are logged in, and not redirect them. To log out all you need to do is destroy the session since this is essentially the login flag. Good luck.

Thank you very much. I'm going to try to make the changes and let you know as soon as possible :)

The basic principle is:

At login page you create a session variable to store login information when login is successfull. The login information might include the user rights level i.e.

if(<login successful and user level= admin>) {
    $_SESSION['user_level'] = 'admin';
}

On each secured page where you first check if the user_level exists and if it is appropriate. i.e on admin page you would check:

if(isset($_SESSION['user_level']) && $_SESSION['user_level'] == 'admin') {

    // do admin stuff here
    ...

} else {
    header('location:logout.php');
    exit();
}

If login information is not correct the user will be redirected to logout page that will destroy the session and clean up whatever needed and redirect to login page.

Depends really on the system you want to implement. The point is basically that you need to check to see if someone is logged in on every page that requires someone to be logged in to view it. The log in and log out are simply an entrance and exit to the login system, whereas if you want to login protect a page you need to make sure that this "checking code" is being executed on all such pages. Hope it all works out for you.

One error in the code posted before is that index is an html file and not a .php file. Does it make a difference?

its just fine redirecting to an html file .. just make sure the path you want the program to redirect exist.

this is your code

$user=$_POST['uname'];
    $pwd=$_POST['password'];
    session_start();
    session_register("user");
    if(!isset($_POST['user']))
    {
    $_SESSION['user'] = $user;
    $_SESSION['pwd'] = $pwd;
    }

this is the shorter one

    session_start();
    $user=$_SESSION['uname'];
    $pwd=$_SESSION['password'];
    // you don't need this anymore "session_register("user");"
    if(empty($_SESSION['uname']))
    {
    echo $uname = $_POST['uname']; //i echo it for checking
    echo $pwd = $_POST['password']; //i echo it for checking
    }

in your code there an obstacle in my mind. where does $_SESSION['pwd'] = $pwd; came from? your $_SESSION['pwd'] does came out of nowhere. inside the If block I echoed the $uname which equivalent to $_SESSION['uname'] and $pwd which is equivalent to $_SESSION['password'] just for checking.

SESSION variables can either handle $_POST, $_GET, $_FILES. That's the fact. so in quivalent, session could be any one of the three.

as the next one which is below....

<?php
    session_start();
    session_unset();
    session_destroy();
    header('Location: index.html');
    exit();
    ?>

try this one

<?php
session_start();
//remove session_unset(), session_destroy is higher than session_unset();
session_destroy();
header('Location: index.html');
//there's no such function as this "exit();"
?>

it does not matter if index file name is of file type html or php.

Done :) Working fine for me! Thank you very much, you lot have helped me a great deal especially masterjiraya and bops! But everytime i find a solution to one problem, another two just pop up...!

Mark this as solve .. and make another thread ..