I would to set it up where if someone sends in a request "logout" it will automatically take them to a page saying "successful log out". If the customer tries to press the back button or go to the restricted area, it will ask for HTTP auth again.
What I have so far is this:
example.com/restricted/index.php:
<?php
session_start();
if(isset($_GET['logout']))
{
unset($_SESSION["login"]);
header("location: ../logout.php");
exit;
}
if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']) || !isset($_SESSION["login"]))
{
header("HTTP/1.0 401 Unauthorized");
header("WWW-authenticate: Basic realm=\"Tets\"");
header("Content-type: text/html");
$_SESSION["login"] = true;
// Print HTML that a password is required
exit;
}
?>
// The rest of the page is then displayed like normal
The user successful visits example.com/logout.php if example.com/restricted/index.php?logout is accessed. When the user tries to go back however random things happen, sometimes it will ask for HTTP authentication twice (???) , sometimes it will keep asking for authentication in a loop (?) and sometimes it will let me go right back as if I never logged out.
I am new to how sessions work but my understanding is this: If/when the person is validated, it stores a variable in it's session called login with a value of true... if it every gets a GET request with logout, it will then delete that session variable and go back to logout.php... Why is it then when I click back to the index will it let me back in without asking for authentication, when session[login] is supposedly not set.
Any improvement to this PHP code is appreciated. I know I shouldn't use HTTP Basic and should incorporate SQL, but meh. This is a temporary solution.
Edit: I will accept a solution with MySQL if an example with instructions are included. I have no MySQL or PHP database knowledge (yet)
A rough idea to start you:
<?php
session_start();
if( isset( $_GET['logout'] ) )
{
session_destroy();
header('Location: ../logout.php');
exit;
}
if( !isset( $_SESSION['login'] ) )
{
if( !isset( $_SERVER['PHP_AUTH_USER'] ) || !isset( $_SERVER['PHP_AUTH_PW'] ) )
{
header("HTTP/1.0 401 Unauthorized");
header("WWW-authenticate: Basic realm=\"Tets\"");
header("Content-type: text/html");
// Print HTML that a password is required
exit;
}
else
{
// Validate the $_SERVER['PHP_AUTH_USER'] & $_SERVER['PHP_AUTH_PW']
if( $_SERVER['PHP_AUTH_USER']!='TheUsername'
|| $_SERVER['PHP_AUTH_PW']!='ThePassword' )
{
// Invalid: 401 Error & Exit
header("HTTP/1.0 401 Unauthorized");
header("WWW-authenticate: Basic realm=\"Tets\"");
header("Content-type: text/html");
// Print HTML that a username or password is not valid
exit;
}
else
{
// Valid
$_SESSION['login']=true;
}
}
}
?>
// The rest of the page is then displayed like normal
I've found a way around it.
I have 2 files: index.php and logout.php
Here is my 'index.php' code:
# CHECK LOGIN.
if (!isset($_SESSION["loged"])) {
$_SESSION["loged"] = false;
} else {
if (isset( $_SERVER['PHP_AUTH_USER'] ) && isset($_SERVER['PHP_AUTH_PW'])) {
if (($_SERVER['PHP_AUTH_USER'] == L_USER) && (md5($_SERVER['PHP_AUTH_PW']) == L_PASS)) {
$_SESSION["loged"] = true;
}
}
}
if ($_SESSION["loged"] === false) {
header('WWW-Authenticate: Basic realm="Need authorization"');
header('HTTP/1.0 401 Unauthorized');
die('<br /><br />
<div style="text-align:center;">
<h1 style="color:gray; margin-top:-30px;">Need authorization</h1>
</div>');
}
And here is my 'logout.php' code:
session_start();
$_SESSION["loged"] = false; // We can't use unset($_SESSION) when using HTTP_AUTH.
session_destroy();
You can use the meta tag http-equiv="refresh"
with a very short response time (e.g. content="1"
). This refresh will clear any $_POST
.
if ( !isset($_SERVER['PHP_AUTH_USER']) || $_SERVER['PHP_AUTH_USER']!='myusername' || $_SERVER['PHP_AUTH_PW']!='mypassword' || isset($_POST['logout']) ) {
header('WWW-Authenticate: Basic realm="My protected area"');
header('HTTP/1.0 401 Unauthorized');
echo '<html><head><title>401 Unauthorized</title><meta http-equiv="refresh" content="1"></head><body><h1>401 Unauthorized</h1><p>You are not allowed to see this page. Reload the page to try again.</p></body></html>';
exit();
}