I have a script which is meant to finish the current session and start a new one. There is a segment of code I use and it works fine on my development computer. However, when I posted it to the production server, the session id is constantly remaining the same.
The following is my code for restarting the session:
session_start();
$_SESSION = array();
$_POST = array();
$_GET = array();
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(),
'',
time() - 42000,
$params["path"],
$params["domain"],
$params["secure"],
$params["httponly"]
);
}
session_destroy();
session_write_close();
session_start();
session_regenerate_id(true);
On the last line, a new session id is not generated.
Why would this be different between two servers running PHP? And what can I do to correct it?
After some experimenting I solved the problem.
The session_regenerate_id(true) line does not regenerate a new session id if any text has been written into the response. I already had a series of echo statements issuing text for debugging purposes and after I removed them new session ids were created.
session_regenerate_id() updates the current session id with a newly generated one. It does not change session variables.
echo session_id();
session_regenerate_id();
echo session_id();
You should unset session to do that:
unset($_SESSION); // or
$_SESSION = array();
How to start a new session:
session_start();
session_destroy();
session_regenerate_id();
unset($_SESSION);
session_start();
Related
I am new to PHP world. Currently, it's version is 5.
I'm trying to prepare a logout script.
I tried-
session_start();
unset($_SESSION["abc"]);
session_destroy();
But still the session vars are alive. I also tried from php.net
session_start();
$_SESSION = array();
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_destroy();
Unfortunately, it's not working too.
Any help?
NOTE I already tried that and I mentioned that code in my question. So
it's not a duplicate question.
I have 2 user level, one is for the admin_tbl and the other is for cashier_tbl they have the same database. My problem is whether I log out either cashier or admin the other one is also log out when I refresh the page. I dont know what the problem is, I used different table so but it log out both of them at the same time? kindly help me with this problem, give me some ideas of whats wrong. Thanks!
UPDATE: Thats my logout code for both cashier_tbl and admin_tbl
This is my code for cashier_tbl
<?php
session_start();
$_SESSION = array();
if (ini_get("session.use_cookies")){
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_destroy();
header("Location: index.php");
?>
And this is for my admin_tbl
<?php
session_start();
$_SESSION = array();
if (ini_get("session.use_cookies")){
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_destroy();
header("Location: index.php");
?>
Your problem on this line :
if (isset($_SESSION['user_id']))
{
header("Location: user_maintenance.php");
}
it's redirect you to user_maintenance.php even if $_SESSION is empty. And on :
if (isset($_SESSION['user_id']))
{
header("Location: order.php");
}
is same to.
These is the others correct way.
I assumed you never set session_unset() or session_destroy() in your logout method.
Delete session_unset() and session_start(); in the first line of your code above, it's not neccessary.
After check the user login method like your code above, in your file order.php and user_maintenance.php, start the session. it would something like this :
<?php
session_start();
// check if the user was login or not
if($_SESSION['login'] == false){
header('Location: user-is-not-login.php');
}
?>
// this area can be access if session is true.
create logout method in location that session was set. something like this :
<?php
session_start();
session_destroy();
session_unset();
header('Location: login.php');
?>
You need to destroy the session before set a new session.
hope these help.
<?php
session_start();
if (!isset($_SESSION['korisnik'])) {
header("Location: index.php");
} else if(isset($_SESSION['korisnik'])!="") {
header("Location: home.php");
}
if (isset($_GET['Odjava'])) {
unset($_SESSION['korisnik']);
session_unset();
session_destroy();
header("Location: index.php");
exit();
}
?>
Everytime I press logout, home.php is just refreshed and session is not over.
<?php
if (isset($_GET['Odjava'])) {
unset($_SESSION['korisnik']);
session_unset();
session_destroy();
header("Location: index.php");
exit();
}
session_start();
if (!isset($_SESSION['korisnik'])) {
header("Location: index.php");
} else if(isset($_SESSION['korisnik'])!="") {
header("Location: home.php");
}
?>
Try this as you need to check it is set first otherwise your script will redirect as your if statement is above the session destroy
to me this does the trick:
setcookie(session_name(), session_id(), 1);
$_SESSION = [];
i.e first make the session expire
(after the first second in the year 1970),
then clear the $_SESSION variable.
Your first if block is run first and the session is still set at that time. Reverse the order of your if blocks and you may get a better result.
Better to use the PHP documentation approach:
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
?>
In order to delete also the session cookies.
I have an index.php which contains my login form and using a session to login. How do I destroy the session everytime a user access the index.php for security?
All you have to do is this:
session_unset();
or:
session_destroy();
depending on your requirement.
References:
http://php.net/manual/en/function.session-destroy.php
http://php.net/manual/en/function.session-unset.php
try this:
<?php unset($_SESSION['whatever']); ?>
Will remove the session.
// Completely remove session and associated data:
<?php
// open the session.
session_start();
// Unset all of the session variables.
$_SESSION = array();
// delete the session cookie.
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_unset();
// Finally, destroy the session.
session_destroy();
?>
I'm testing the implementation of a security check in my PHP sessions. I can successfuly detect whether the session was started from another IP address and I can successfully start a new session. However, the data from the old session gets copied into the new one! How can I start a blank session while preserving the previous session data for its legitimate owner?
This is my code so far, after lots of failed attempts:
<?php
// Security check
if( isset($_SESSION['ip_address']) && $_SERVER['REMOTE_ADDR']!=$_SESSION['ip_address'] ){
// Check failed: we'll start a brand new session
session_regenerate_id(FALSE);
$tmp = session_id();
session_write_close();
unset($_SESSION);
session_id($tmp);
session_start();
}
// First time here
if( !isset($_SESSION['ip_address']) ){
$_SESSION['ip_address'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['start_date'] = new DateTime;
}
The official documentation about sessions is terribly confusing :(
Update: I'm posting some findings I got through trial and error. They seem to work:
<?php
// Load the session that we will eventually discard
session_start();
// We can only generate a new ID from an open session
session_regenerate_id();
// We store the ID because it gets lost when closing the session
$tmp = session_id();
// Close session (doesn't destroy data: $_SESSION and file remains)
session_destroy();
// Set new ID for the next session
session_id($tmp);
unset($tmp);
// Start session (uses new ID, removes values from $_SESSION and loads the new ones if applicable)
session_start();
Just call session_unset after session_regenerate_id to reset $_SESSION for the current session:
if (isset($_SESSION['ip_address']) && $_SERVER['REMOTE_ADDR']!=$_SESSION['ip_address']) {
// Check failed: we'll start a brand new session
session_regenerate_id(FALSE);
session_unset();
}
when a new user connects to your server, the script should only be able to access that user's session variables. you will want to store other info in a hashed session variable to verify that the session is not being jacked. if it is being jacked, no reason to start a new session, maybe just exit the script with a warning.
here is the function a lot of people use for fingerprinting a session:
function fingerprint() {
$fingerprint = $server_secure_word;
$fingerprint .= $_SERVER['HTTP_USER_AGENT'];
$blocks = explode('.', $_SERVER['REMOTE_ADDR']);
for ($i=0; $i<$ip_blocks; $i++) {
$fingerprint .= $blocks[$i] . '.';
}
return md5($fingerprint);
}
Use this
unset($_SESSION['ip_address'])
instead of 'unset($_session)'
You can also use session_destroy.
session_destroy will destroy session data. For example,
session_start();
$_SESSION["test"] = "test";
session_write_close();
session_start();
// now session is write to the session file
// call session_destroy() will destroy all session data in the file.
session_destroy();
// However the you can still access to $_SESSION here
print_r($_SESSION);
// But once you start the session again
session_start();
// all session data is gone as the session file is now empty
print_r($_SESSION);
will output
array([test] => "test")array()