Logout Script
Logout is kind of a luxury. It's mostly there to ensure the safety of your personal information. Many sites that deal with simple memberships and superficial data on non-secure servers don't even bother, and many people don't bother to logout from websites at all. More secure servers or servers hosting more sensitive data tend to have automatic logout features after a certain period of time elapses in which there is inactivity. In general, if you're on a computer no one else has access to, logging out is not important, but if you're in an office or someplace where others may access your machine, especially if the data in question is sensitive, log out!
There are 2 ways of dealing with logging out if you're programming in PHP. The first is the use of sessions. With sessions the server keeps track of session variables which can be retrieved for use on a website's pages using PHP code. Logouts are easy, as the only thing you need to do is to destroy the session. Fortunately, PHP has a built-in function for that:
session_destroy();
When this function is executed, all the session variables that you set up for the user will be destroyed. Here's the simplest logout you'll find:
<?PHP
session_start();
session_destroy();
?>
Note that you have to start the session first before destroying it, even though you've been using sessions throughout your pages! So that the user can log out from anywhere, you can add a logout link on your site's pages:
<A HREF = 'logout.php'>Log out</A>
When the user clicks this link, the log out script will be executed. If he tries to do anything else on the site, he'll be redirected to the login page.
The second method of dealing with user login/logout, which we prefer due to the notorious security holes opened up using sessions, is POSTing the username to each page. This method uses the server and the browser (while sessions use the server only), as all POSTing does. The password is not POSTed except during login when it's POSTed during the page reload which the login page needs to do to send form-entered data to itself. Other than that, only 'username' is POSTed as users (actually, administrators are the users in the references on this page) leave each website page. Once it is POSTed into each page's PHP script and stuck in the $U variable, it is checked to see if it is set or not. If it is, it allows a user to use the web page, and if not, he gets sent to the login script. In the login script, there's no way to get anywhere else on the site until an acceptable user name and password has been entered, so acceptance here is a must. Even though the $U variable is set when unacceptable login entries are made as well as acceptable ones, there is no way off the login page except with good inputs.
Note that entry into pages doesn't require a password, since the user has already proven himself valid. The actual entry into the MySQL database where all the tables are is given through a configure.php file hard-coded with the host's password, user name, and database name, which is added as an include file on most of the site's pages. No user or administrator gets to see any of the code on the site—especially that code! Only the PSB™ host sees it. That's the point of this section of our PSB™ code tutorials, to explain how the code works to PSB™ hosts, not users or administrators.
In the logout script below, we check the $U variable POSTed to this script from a form's hidden field found in all the pages on the site except this logout page. If it is set, we log the user out with a "thank you" message and unset the $U variable just to be safe, then send the user to the css-resources.com home page. In order to do more on the site, the user would have to login again. If $U was aleady unset somehow, we send the user to the login script. Note how we were able to use a PHP variable in the middle of a JavaScript alert box.
<html><head><title>Logout</title></head><body>
<?php
$U=$_POST['username'];
if (isset($U)) { ?>
<script language="javascript">
alert('Thank you for visiting, '+'<?= $U ?>');
window.location = "../index.html"; </script>
<?php
unset($U);} else
{echo '<script language="javascript">alert("Please login.");window.location = "login.php"; </script>';}
?>
</body></html>