I have made this simple login script (without accessing the database) but the session remains active (after closing the browser) even if the 'remember me' button is not checked. How do I correct this...
<?php
define('LOGIN_URL', '/ab_batch/login/newlogin.php');
session_start();
$display_user = false;
$loginForm = [
'username' => [
'value' => '',
'error' => false,
'err_msg' => ''
],
];
if ( isset($_POST['submit']) ) {
$username = trim($_POST['username']);
$remember = ( isset($_POST['remember']) && '1' == $_POST['remember'] ) ? true : false ;
if ( empty($username) ) {
$loginForm['username']['error'] = true;
$loginForm['username']['err_msg'] = "required";
}
else {
$loginForm['username']['error'] = false;
$_SESSION['username'] = $username;
if ($remember) {
setcookie('my_cookie', $username, 180+time() , '/');
}
}
}
if ( isset($_GET['action']) && 'logout' == $_GET['action'] ) {
if ( isset($_COOKIE['my_cookie']) && !empty($_COOKIE['my_cookie']) ) {
setcookie('my_cookie' , null , -3600+time() , '/');
}
session_destroy();
header('Location: ' . LOGIN_URL);
exit();
}
$session_user = null;
if ( isset($_COOKIE['my_cookie']) && !empty($_COOKIE['my_cookie']) ) {
$_SESSION['username'] = $_COOKIE['my_cookie'];
}
if ( !$loginForm['username']['error'] && isset($_SESSION['username']) ) {
$session_user = $_SESSION['username'];
$display_user = true;
}
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Login</title>
<style type="text/css">
.reqd {
color: red;
}
.result {
padding: 5px;
background-color: grey;
border: 1px solid black;
}
</style>
</head>
<body>
<?php if(!$display_user): ?>
<form action="" method="post">
<p>
<label for="username">Username: <span class="reqd">* <?php echo
$loginForm['username']['error'] ? $loginForm['username']['err_msg'] : ''; ?></span></label><br />
<input type="text" name="username" />
</p>
<p>
<label for="remember">Remember me </label>
<input type="checkbox" value="1" name="remember" />
</p>
<p>
<input type="submit" name="submit" value="Login" />
</p>
</form>
<?php else: ?>
<div class="result" >
<h3>Welcome <?php echo $session_user; ?> </h3>
<a href="?action=logout">Logout </a>
</div>
<?php endif; ?>
</body>
</html>
Below is the link to the source code
Sessions don't expire on the server just because the browser is closed. Sessions are server side. If you want to end the session on browser window closing, you would need to write a javascript AJAX request that calls session_destroy() on the server.
<script type="text/javascript">
window.onbeforeunload = function (event) {
// Make an ajax call to run session_destroy() on server
$.ajax({url: "your.server.com/path/session_destroy.php", success: function(result){
console.log(result);
}});
}
</script>
Then you would have a file on your server named session_destroy.php. That file would contain -
<?php
session_destroy();
This is an incredibly rudimentary implementation, but should accomplish what you're wanting to do.
Try this:
ini_set('session.cookie_httponly', true);
ini_set('session.use_cookies', true);
ini_set('session.use_only_cookies', true);
ini_set('session.use_trans_sid', false);
I hope this helps!