Sorry for the repeated question, I saw some of them on this forum, but none of the answers worked for me ...
I am creating a basic login using php sessions which I am new to ...
login.php checks the login form in html and starts the session by setting the variables: $_SESSION['login'] and $_SESSION['id] ,
then every page that requires a valid entry uses require 'session.php'; , which checks the variable $_SESSION['valid'] and redirects the user without the correct boolean variable. The problem is that when you log out, not a single session variable that I set will be canceled.
Currently, my logout.php file uses every method to destroy variables that I could find on the Internet, and no one actually does.
Therefore, whenever I log out, I can still access the 'private' pages.
Also note: I tried this without the session name ex: session_start(); which did not work, now I am using session_start("user");
Also note: I do NOT use cookies.
Here are the files I mentioned:
login.php
$email=$_POST['email-log']; $pass=$_POST['password-log']; $i=-1; do {$i++; $path="users/".$i.".json"; $file= file_get_contents($path); $x=json_decode($file,true); } while($x['email']!=$email); $id=$i; $truepass=$x['pass']; $errors=0; $hash=hash('sha256',$pass); if($hash != $truepass){$errors=$errors+1;} if($errors==0){ session_start("user"); $_SESSION['login']="valid"; $_SESSION['id']=$id; header('Location: loginlanding.php');} else{header('Location: front.php?error=y');}
session.php
session_start("user"); if($_SESSION['login'] !== "valid") {header('Location: front.php?needto=login');}
logout.php
unset($_SESSION); unset($_SESSION['login']); unset($_SESSION['id']); session_unset("user"); $_SESSION=array(); session_destroy("user"); header('Location: front.php?logged=out');
All answers are welcome, and I thank you in advance, also note: I am new to logins in general, so any safety tips are also welcome. I plan to make it more secure, but first I need to run this basic functionality.