We Keep Coding

session_destroy() is not logging me out

Whenever I run the logout.php script then go back to a page that is protected without login it will have me still logged in
logout.php
<?php
session_start();
session_unset();
session_destroy();
header("Location: ../index.php");
exit();
?>
login.php
$userlogin = user_login($email, $password.$salt);
if ($userlogin==false){
$errors[]='Wrong email/password combination.';
} else {
//set the user session
$_SESSION['UserId']=$userlogin;
$_SESSION['LoginIP']=$_SERVER['REMOTE_ADDR'];
$db->query("UPDATE users SET ipadd='".$_SERVER['REMOTE_ADDR']."' WHERE user_id=".$_SESSION['UserId']."");
echo '<meta http-equiv="refresh" content="0; URL=index.php">';
Check logged in snippet
/* Check if user is logged in or not */
function loggedin(){
return (isset($_SESSION['UserId'])) ? true : false;
}
if (loggedin()==true){
$session_user_id = $_SESSION['UserId'];
$user_data = user_data($session_user_id,'full_name','username');
$rezult =$db->query("SELECT ipadd FROM users WHERE user_id=".$_SESSION['UserId']."");
while($rez = $rezult->fetch_assoc()){
if ($rez['ipadd']==$_SERVER['REMOTE_ADDR']) {
} else {
echo '<meta http-equiv="refresh" content="0; URL=logout2.php">';
}
}
}
Been look at posts with the same question but whatever I try still getting the same issue. Any advice would be extremely appreciated!

this is from php.net http://php.net/manual/en/function.session-destroy.php
Note: You do not have to call session_destroy() from usual code. Cleanup $_SESSION array rather than destroying session data.
so you just need $_SESSION = null, and logout should happen.

I think in your index.php file should have these line:
if(!isset($_SESSION["session_name"])){
header("Location: somewhere_mainpage.php");
}
It is better to make all pages have these line. These line will send header to another page if no session has started.

I believe that session_start(); function call should be on your login page when the user login data is correct, and in your logout PHP code, you should set
session_destroy(); or unset($_SESSION['UserId'];
Logout.php:
<?php
session_destroy();
/* * OR * */
//unset($_SESSION['UserId'];
header("Location: ../index.php");
exit();
?>

<?php
session_unset();
session_destroy();
header("Location: ../index.php");
?>
should work, otherwise you could unset the values
<?php
unset($_SESSION['UserId']); // Unsets the UserId Variable reuse for each variable
session_destroy();
header("Location: ../index.php");
?>
have you tried just session_destroy() ?
also I'm not sure wether you need session_start() when you are closing the session, from memory you only need it to start the session

I always like to destroy the server session, and client cookie, try to manually cover all options in case of any errors.
You can destroy the cookie in PHP with:
setcookie(session_name(), '', time() - 3600, $cookie_path, $cookie_domain, $cookie_secure, $cookie_httponly );
<?php
$cookie_path = "...";
$cookie_domain = "...";
$cookie_secure = "...";
$cookie_httponly = "...";
session_start();
session_unset();
session_destroy();
setcookie(session_name(), '', time() - 3600, $cookie_path, $cookie_domain,$cookie_secure, $cookie_httponly );
header("Location: ../index.php");
exit();
time() - 3600 makes the cookie expiry before the current time, which makes it invalid.
Another option to investigate is session_regenerate_id() on your logout pages. Some reference pages are below:
php.net - session-regenerate-id
https://stackoverflow.com/a/22965580/1246494

Logout.php doesn't work

<?php
session_start();
if (!isset($_SESSION['korisnik'])) {
header("Location: index.php");
} else if(isset($_SESSION['korisnik'])!="") {
header("Location: home.php");
}
if (isset($_GET['Odjava'])) {
unset($_SESSION['korisnik']);
session_unset();
session_destroy();
header("Location: index.php");
exit();
}
?>
Everytime I press logout, home.php is just refreshed and session is not over.

<?php
if (isset($_GET['Odjava'])) {
unset($_SESSION['korisnik']);
session_unset();
session_destroy();
header("Location: index.php");
exit();
}
session_start();
if (!isset($_SESSION['korisnik'])) {
header("Location: index.php");
} else if(isset($_SESSION['korisnik'])!="") {
header("Location: home.php");
}
?>
Try this as you need to check it is set first otherwise your script will redirect as your if statement is above the session destroy

to me this does the trick:
setcookie(session_name(), session_id(), 1);
$_SESSION = [];
i.e first make the session expire
(after the first second in the year 1970),
then clear the $_SESSION variable.

Your first if block is run first and the session is still set at that time. Reverse the order of your if blocks and you may get a better result.

Better to use the PHP documentation approach:
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
?>
In order to delete also the session cookies.

how to change session id after logout in php?

<?php
$b = session_id();
if(empty($b)) session_start();
$ses= session_id();
echo $ses;
?>
This code is for generating the session id
But when to destroy the session the session id shown is same as the old one.When I delete the cookie then it has changed..how to change the session id?

Changing the session_id() can be done by session_regenerate_id()
<?php
session_start();
$old_sessionid = session_id();
session_regenerate_id();
$new_sessionid = session_id();
echo "Old Session: $old_sessionid<br />";
echo "New Session: $new_sessionid<br />";
print_r($_SESSION);
?>
To delete the session use session_destroy();
session_destroy();
$_SESSION = array(); // Clears the $_SESSION variable
http://php.net/manual/en/function.session-destroy.php

May I suggest
// deletes old session
session_regenerate_id(true);
Link to PHP docs

PHP Session not initializing

I have a session:
session_start();
$_SESSION['auth'] = "true";
and the PHPSESSID cookie is set. However, when I refresh the page $_SESSION['auth'] returns NULL. Additionally, when I call session_destroy(); I receive the error Trying to destroy uninitialized session
How can I keep the session open?
Thanks!

Give this a try.. if this works I'd re examine your code + comment out session_destroy...
page1.php
<?php
session_start();
$_SESSION['auth'] = "true";
$_SESSION['superhero'] = "batman";
?>
Click here
page2.php
<?php
session_start(); // start the session before using it
echo $_SESSION['auth']; // will output 'true'
//print_r($_SESSION); // uncomment for testing
?>

session is not destroying

i created a login page in php and used session in it... after checking the condition i am setting the session as
session_register("myusername");
session_register("mypassword");
header("location:login_success.php");
and in the login_succes.php i have the code as
<?
session_start();
if(!session_is_registered(myusername)){
header("location:main_login.php");
}
?>
<html>
<body>
<h2><?php session_start(); echo $_SESSION['myusername']; ?>
Welcome to hell</a>
</body>
</html>
and in logout.php the code is
<?
session_start();
session_destroy();
?>
the issue i am facing is on login 2nd time i am getting 1st user name itself in the output.

To destroy a session with one of the following:
$_SESSION = array();
unset($_SESSION);
Instead of session_is_registered, use standard $_SESSION super global. Like:
if(isset($_SESSION['myusername']))...
To register a session variable use:
$_SESSION['myusername'] = $myusername;
Also, PHP version, environment, could help us to find out.