1
I have the following login file.php:
<?php
require_once('conexao.php');
// FETCH DATA FROM FORM USING METHOD POST
// IF BUTTON NAME "LOGIN" IS SET
if (isset($_POST['login'])) {
// FETCH DATA FROM INPUT FIELD
$user = mysqli_real_escape_string($conexao, $_POST['usuario']);
$pass = mysqli_real_escape_string($conexao, $_POST['password']);
// CHECK ALL FIELD HAS BEEN FILLED UP
if ($user && $pass) {
// QUERY FROM DATABASE
$query= mysqli_query($conexao, "SELECT * FROM usuarios WHERE usuario='".$user."'");
$checkuser= mysqli_num_rows($query);
// CHECK IF USERNAME EXIST ON DATABASE
if($checkuser != 1) {
// I'LL BE SETTING A VARIABLE IF YOUR DOESN'T EXIST
header("Location: ../login.php" . "?erro=3");
}
// FETCHING PASSWORD IN DATABASE WHERE USERNAME COINCIDES
while ($row = mysqli_fetch_array($query)) {
$checkpass= $row['senha'];
// CHECK IF ENTERED PASSWORD MEETS THE USERNAME PASSWORD
if ($pass== $checkpass) {
// IF ALL OKAY SET SESSION
setcookie("usuario", $user, time()+7200);
$_SESSION['usuario'] = $user;
$_SESSION['start'] = time();
$_SESSION['expire'] = $_SESSION['start'] + (60 * 60 * 60);
header("Location: ../admin.php");
exit();
} else {
// SET VARIABLE THAT'LL SHOW IF USER PASSWORD IS INCORRECT
header("Location: ../login.php" . "?erro=1");
}
}
} else {
// SET VARIABLE IF ALL FIELD ARE NOT FILLED UP
header("Location: ../login.php" . "?erro=2");
}
}
?>
The same is working OK, goes to the panel, all right. However, inside the panel I have a "Logoff" button, which I wanted to return to the login screen and close the session. I’ve been reading that would be with UNSET. In case the logout.php would only have an UNSET $_SESSION['user']? Another thing I noticed in my code is that changing the URL to admin.php the system takes the user to the panel without checking whether they are logged in or not.
I’m not going to risk a response because I have to learn Sesssions... but take a look at the admin.php file, because you need to have started the session with
session_start()
or in your case withrequire_once('conexao.php');
, and put a rule for when the user is not logged in. For example:if (!isset($_SESSION['user_id'])) { faça algo}
. So if you are not logged in you will execute what is between the keys and will not show the panel...– gustavox
About the logout is what Rafael said in the reply, but I think tbm is good to make a
$_SESSION = array();
beforesession_destroy;
to delete the variables, and if you have been working with cookies you have to set a time in the past for them, e.g.:setcookie('user_id', '', time() - 3600);
.– gustavox
Related question: http://answall.com/questions/31393/como-destrur-uma-sess%C3%A3o-espec%C3%Adfica/31423
– gustavox