Best way to make a script to logout

Asked

Viewed 26,487 times

3

I am developing a system in which it is accessed with the login and password, once logged in the user has the option to logout, follows below my script:

if(isset($_SESSION['logado'])){
    session_destroy();
    header("Location:index.php");
}

I want to know if this is the right way to be doing this, and this code is in a separate file

Here is the boot that makes the logout

echo " <a href='doLogout.php'>Sair</a>";
  • 2

    Yes, if the login only uses sessions, they should be destroyed. If there is a cookie, they should also be destroyed.

2 answers

8


An additional issue in this Logout, in addition to what has already been mentioned by @Papacharlie, is that any link out to the logout page complicates the user experience. The way it is, just an accidental click on the history or a wrong autocomplete and the guy keeps "escaping" the session "dislocating" unintentionally.

Also, some malicious "competitor" could force its users to lose their session constantly with a mere invisible link on other sites (example: <script src="http://seusite/caminhodologout">).

Ideal if this logout page received a parameter that identified the session. If you receive, log out, if you do not receive, it shows "Confirm logout?" and in SIM uses a link with the parameter, so an "old" pro logout link would not work.

Simplified example of solution:

Logout link:

echo '<a href="doLogout.php?token='.md5(session_id()).'">Sair</a>';
// sim, MD5 é seguro suficiente nesse contexto (e é apenas exemplo).

Logout page:

session_start();
$token = md5(session_id());
if(isset($_GET['token']) && $_GET['token'] === $token) {
   // limpe tudo que for necessário na saída.
   // Eu geralmente não destruo a seção, mas invalido os dados da mesma
   // para evitar algum "necromancer" recuperar dados. Mas simplifiquemos:
   session_destroy();
   header("location: http://exemplo.com.br/index.php");
   exit();
} else {
   echo '<a href="doLogout.php?token='.$token.'>Confirmar logout</a>';
}
  • I liked that your method, test here in mine and it worked.

4

Generally login is a combination of sessions and cookies that guarantee the authenticity of the user even after the browser closes. Assuming a simple login system with unique use of sessions, you have 2 examples below. Watch out to call the function session_start at the right time.

1) If you have a page just for logout, just you can use it this way:

session_start();
session_destroy();
header("location: http://www.dominio.com.br/index.php"); 

2) If your application is different from the above example, you can use:

session_start(); // previamente chamada 

Removing the sessions

if(isset($_SESSION['logado'])){
    // se você possui algum cookie relacionado com o login deve ser removido
    session_destroy();
    header("location: http://www.dominio.com.br/index.php");
    exit();
}

Browser other questions tagged

You are not signed in. Login or sign up in order to post.