Login Web Page Automatic Logout

I am creating a login page for covering important stuff for only the admin. Here is my current successful code.

<?php
$username = "adminuser";
$password = "adminpass";
$randomword = "helloworld";

if (isset($_COOKIE['MyLoginPage'])) {
   if ($_COOKIE['MyLoginPage'] == md5($password.$randomword)) {

?>
<?php
$dbhost = 'localhost';
$dbuser = 'user';
$dbpass = 'pass';
$conn = mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql');

$dbname = 'jrmathem_service';
mysql_select_db($dbname);

$query = "SELECT * FROM interact";
$result = mysql_query($query) 
or die(mysql_error()); 
print " 

<h3>Interact Event Sign-Up Results</h3>

<table border="5" cellpadding="5" cellspacing="0" style="border-collapse: collapse" bordercolor="#808080" width="100%" id="AutoNumber2" bgcolor="#C0C0C0"><tr> 
<td width=100>Name</td> 
<td width=100>Grade</td>
<td width=100>Contact</td> 
<td width=100>A</td> 
<td width=100>B</td> 
<td width=100>C</td>
<td width=100>D</td> 
<td width=100>E</td>

</tr>"; 

while($row = mysql_fetch_array($result, MYSQL_ASSOC)) 
{ 
print "<tr>"; 
print "<td>" . $row['name'] . "</td>"; 
print "<td>" . $row['grade'] . "</td>";
print "<td>" . $row['contact'] . "</td>"; 
print "<td>" . $row['A'] . "</td>"; 
print "<td>" . $row['B'] . "</td>";
print "<td>" . $row['C'] . "</td>"; 
print "<td>" . $row['D'] . "</td>";
print "<td>" . $row['E'] . "</td>";

print "</tr>"; 
} 
print "</table>"; 
?>
<?php
      exit;
   } else {
      echo "<p>Bad cookie. Clear please clear them out and try to login again.</p>";
      exit;
   }
}

if (isset($_GET['p']) && $_GET['p'] == "login") {
   if ($_POST['name'] != $username) {
      echo "<p>Sorry, that username does not match. Use your browser back button to go back and try again.</p>";
      exit;
   } else if ($_POST['pass'] != $password) {
      echo "<p>Sorry, that password does not match. Use your browser back button to go back and try again.</p>";
      exit;
   } else if ($_POST['name'] == $username && $_POST['pass'] == $password) {
      setcookie('MyLoginPage', md5($_POST['pass'].$randomword));
      header("Location: $_SERVER[PHP_SELF]");
   } else {
      echo "<p>Sorry, you could not be logged in at this time. Refresh the page and try again.</p>";
   }
}
?>

<form action="<?php echo $_SERVER['PHP_SELF']; ?>?p=login" method="post"><fieldset>
<label><input type="text" name="name" id="name" /> Name</label><br />
<label><input type="password" name="pass" id="pass" /> Password</label><br />
<input type="submit" id="submit" value="Login" />
</fieldset></form>

The problem that I am having with this code is that after I login and exit out of the window, it is logged in forever on my computer no matter if I open up the exact same link for the login page. So, my question is

What and where can I specifically add into my code to make it so when you exit out of the window or tab, it automatically logs you out of the page so that when you log on again, you have you log in again.

Thank you and I hope to get some specific feedback.

Answer

First let me explain the reason why you always stay logged in. This happens because you’re using Cookies. If the login is succesfull, you’re setting up a Cookie with this line of code:

setcookie('MyLoginPage', md5($_POST['pass'].$randomword));

Because you didn’t set a timeout on this Cookie, it’ll remain on the users computer untill they decide to clear their Cookies manually. It doesn’t matter if they close their browser and reopen it again. The Cookie will still be there and therefor log the user back in.

So how do you solve this problem?
There are 2 ways to solve this problem. The first one would be to set a timeout on your Cookie. This has some advantages, but some disadvantages aswell. By giving your Cookie a timeout, it’ll become invalid after the time has passed. So if you give the Cookie a timeout of 1 hour, the user can close and reopen the website as many times as they want for the next hour. After that, they’re forced to login again. This can be more user friendly, but it could also cause some problems. Like the user being forced to login again while they were working on the Admin panel for more than 1 hour.

You could however overcome that issue by resetting the timeout to 1 hour everytime they do something actively on the Admin panel. Anyway, here’s how you set a timeout on a Cookie:

setcookie('MyLoginPage', md5($_POST['pass'].$randomword), time()+3600);

time() would be the current time + 3600 seconds means the Cookie becomes invalid 3600 seconds from now.

What I think would be a better solution to your problem, would be to use SESSIONS instead of Cookies. A Session will always remain active for as long as the user browses around your website. As soon as they leave, or close the browser, the Session is gone and they have no choice but to log back in when they visit again.

So lets replace your current setcookie with a session:

$_SESSION['MyLoginPage'] = md5($_POST['pass'].$randomword);

Now before we start using this Session, we’re going to have to make sure this Session will stay alive. So on every page where the user must be logged in, you want to do the following on top of your script, like this:

<?php
session_start();

If you don’t do this, the users Session will be destroyed inmediately and they’ll be forced to login again. Now that we’ve made our preperations to use Sessions, we’ll just have to change one last part of your code:

if (isset($_COOKIE['MyLoginPage'])) {
    if ($_COOKIE['MyLoginPage'] == md5($password.$randomword)) {

Instead we’re going to use:

if (isset($_SESSION['MyLoginPage']) && $_SESSION['MyLoginPage'] == md5($password.$randomword)) {

So now instead of checking if the Cookie exists, we’ll check if the Session exists and if it has the correct value.

Another advantage of using Sessions instead of Cookies is that you don’t require the users permission to write them out. In European countries it’s required to have permission from the user to write a Cookie by law. Sessions are however stored on the server instead of the users computer, and therefor don’t require permission.

Last note
I’ve noticed you’re using mysql_*. This is officially deprecated code. I strongly recommend having a look at MySQLi or PDO and learn to use Prepared Statements. This will protect you from most SQL injection and your MySQL server from users entering characters that can cause issues to it.

Also md5 is a very insecure way of “encrypting” your passwords. This is because md5 is not a form of encryption at all, but a hash. Look around the internet for better forms of encryption, like PHP Crypt and Blowfish.