Login session information prevents double login
So I'm trying to prevent users from registering twice by disabling the login page if they can get there at all.
At the top of my page, I have:
<?php
session_start();
if($_SESSION['loggedin'] != true){
run page...
}
else {
echo "You are already logged in! If you believe this in a error, please let us know. Thanks!";
}
?>
Seems pretty straight forward, but even after logging out through the logout script below it repeats "you are already logged in"
Here is my script output:
session_start();
session_destroy();
$_SESSION = array();
header('Location: index.php');
exit;
on my login page, I:
session_regenerate_id();
$_SESSION['sess_user_id'] = $id;
$_SESSION['sess_username'] = $xusername;
$_SESSION['sess_gender'] = $gender;
$_SESSION['sess_homelat'] = $homelat;
$_SESSION['sess_homelng'] = $homelng;
$_SESSION['loggedin'] = true;
But that doesn't seem like a problem.
I am developing locally, if this changes anything?
EDIT: The solution seems to be to delete the cookie as below.
source to share
You have a cleanup from session variables back to session_destroy
. You will want to do this instead:
session_start();
$_SESSION = array();
session_destroy();
As per the docs, you can also delete the session cookie so that everything is completely destroyed:
session_start();
$_SESSION = array();
$_SESSION['loggedin'] = false; // Just in case
// If it desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_destroy();
On your login page, have you $_SESSION['loggedin'] = true;
surrounded by any if-statement whatsoever? Check if it was unintentionally installed by adding die('loggedin session var has been set!');
right after it.
source to share