I have this code for Login where I am storing following in the session variables:
if($do == "login") {
session_start();
$_SESSION["valid"] = true;
$_SESSION["studentUniqueId"] = $user_row['studentUniqueId'];
$_SESSION["loginName"] = $loginName;
$_SESSION["timeout"] = $now;
}
Session file looks likethis:
valid|b:1;studentUniqueId|s:5:"10001";loginName|s:13:"abc#gmail.com";timeout|s:19:"2015-07-01 18:26:32";
Also the code for logout where I am destroying the user session:
if($do == "logout") {
session_start();
$_SESSION = array();
session_unset();
session_destroy();
}
After logout the session files contains:
valid|b:0;
Even I have used session_destroy(), after logout the session file exist with valid|b:0; on my servers Temp directory and the size of the temp directory increases considerably.
I want to get rid of these files after session_destroy()/logout which is not the way now.
Is any way I am going wrong with the code.
Edit 2 :(erasing complete session data, you can use the below code)
ini_set('session.gc_max_lifetime', 0);
ini_set('session.gc_probability', 1);
ini_set('session.gc_divisor', 1);
Edit 1 (original) : Try this from PHP MANUAL
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Use this too
ini_set('session.gc_max_lifetime', 0);
ini_set('session.gc_probability', 1);
ini_set('session.gc_divisor', 1);
// Finally, destroy the session.
session_destroy();
?>
Related
I have a project for university in which we should develop a static website with free session.
I need a simple php timeout code.
Is correct to use this? code:
<?php
if ($_SESSION['timeout'] + $minutes * 60 < time()) {
// session timed out
} else {
// session ok
}
?>
$_SESSION['timeout'] was set to time();
it depends on your website logic. Try to use this if you want.
<?php
session_start(); $t=time(); $diff=0; $new=false;
if (isset($_SESSION['time'])){
$t0=$_SESSION['time']; $diff=($t-$t0); // inactivity period
} else {
$new=true;
}
if ($new || ($diff > 10)) { // new or with inactivity period too long
//session_unset(); // Deprecated
$_SESSION=array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) { // PHP using cookies to handle session
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 3600*24, $params["path"],
$params["domain"], $params["secure"], $params["httponly"]);
}
session_destroy(); // destroy session
// redirect client to login page
header('HTTP/1.1 307 temporary redirect');
header('Location: login.php?msg=SessionTimeOut');
exit; // IMPORTANT to avoid further output from the script
} else {
$_SESSION['time']=time(); /* update time */
echo '<html><body>Tempo ultimo accesso aggiornato: ' .$_SESSION['time'].'</body></html>';
}
?>
But I suggest to use session_regenerate_id() instead of session_destroy()
Can Not Delete Session And Cookie
I am new to PHP sessions.
I have used cookies plenty in the past.
I can't seem to get rid of this cookie - no matter what I do!
I seem to be able to clear the session - but the cookie remains.
I have tried all of these: .. and MORE:
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
if (isset($_SERVER['HTTP_COOKIE'])) {
$cookies = explode(';', $_SERVER['HTTP_COOKIE']);
foreach($cookies as $cookie) {
$parts = explode('=', $cookie);
$name = trim($parts[0]);
setcookie($name, '', time()-1000);
setcookie($name, '', time()-1000, '/');
}
}
?>
above from: http://php.net/manual/en/function.session-destroy.php
<script>
var cookies = document.cookie.split(";");
for (var i = 0; i < cookies.length; i++)
eraseCookie(cookies[i].split("=")[0]);
</script>
What would be some of the reasons why the cookies does not delete?
This is because of the working of a session in php. What happens is when you start a session a unique string is generated which acts as the cookie value for the session . All the data that you are storing inside the session are stored in a file corresponding to the unique string. Now when you destroy a session it does not destroy the session string but rather than that it destroys the values corresponding to that string that is stored on the server.
So even though the cookies are there but there is no data corresponding to it and hence for the next request the session would effectively be empty.
I have a form that includes SS numbers. I have done all the security/injections,spamming and validation stuff as it is not included in the question.
basically I want to destroy session data after the form emails both the user and the agent. and wipe the server clean afterward.
Do i do this like this on the final page of the form?
notes:
page 1 user will input all the data.
page 2 uses session to input the data into a conformation page that the user hits the submit button and the mailer mails the info and takes them to page 3 the success page
Technically once the data gets to page 2 I don't need the session anymore
<form id="form_958713" class="appnitro" method="post" action="mailer.php
<?php
// Initialize the session.
session_start();
// Unset all of the session variables.
$_SESSION = array();
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
?>
">
or do i do it on the mailer itself?
snippet:
// gives success or error
if(!$mail->Send()) {
echo 'Message could not be sent.';
exit;
}
echo '
<meta http-equiv="refresh" content="0;url=http://www.website.com/GetaQuoteSuccess.php">
';
// Initialize the session.
session_start();
// Unset all of the session variables.
$_SESSION = array();
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
?>
what is the best method/place to put the code to wipe the session?
Destroying the session is a very bad idea. In this site these 2 pages may be the only place you use $_SESSION but normally it is used for many things.
Instead try this concept :-
Form1.php ( the form that captures data from the user )
just posts data to form2.php
Form2.php
<?php
$session_start()
// validate $_POST of course, and once valid
$_SESSION['post_data'] = $_POST
// other code
header('Location: form3.php');
exit;
?>
Form3.php
<?php
session_start();
// use $_SESSION['post_data']['field1'] etc however you want
. . .
// at end of script if you no longer want this data
unset($_SESSION['post_data']);
// the post-data array will no longer exists in $_SESSION
// **But other data in $_SESSION is still there**
Oh but dont use unset($_SESSION); there be dragons
If you really need to destroy the whole session then do it at the end of the main script
I do the following to set my session, this works because the echo appears. but when I go to the next page or another the session is not there? what am I doing wrong?
$session_start();
if ($username==$dbusername&&$password==$dbpassword)
{
echo"<b>Login Successful</b><br><a href='systemadmin.html'><br>Click here to access the <strong>System Admin Page</strong></a>";
$_session['username']=$dbusername;
if($username == "admin")
{
$_session['admin'] = true;
}
I am trying to get the following to work with these sessions:
<?php
session_start();
if($_session['admin'] == true)
{
// do nothing
}else{
header( 'Location: home.html' ) ;
}
?>
Update:
the uppercase sessions work but now the sessions arent destroying when i use the logout.php
<?php
session_start();
session_destroy();
header("location: home.html");
?>
$_session should be => $_SESSION.
http://php.net/manual/en/reserved.variables.session.php
The first works because you are setting a 'normal' variable (which is available for the request).
UPDATE
To destroy the session:
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
?>
http://php.net/manual/en/function.session-destroy.php#example-4368
Additionaly you should always use exit(); after you do a redirect to prevent further execution of the script.
PHP Server/Session/Global variables are case sensitive. To PHP, $_SESSION is NOT the same variable as $_session, even though to you in English, they seem to be. You must use $_SESSION, not $_session in order to access the PHP Session variables as you are expecting.
You have to use exit(); after the header(); because the script doesn't always end right after the user redirects to a new page.
The name of the superglobal is $_SESSION in uppercase letters. Try changing that and see if it helps.
I am able to login with an integrated login system for my site and phpBB3. I am unable to
logout... I tried destroying the session, or used ->logout();
I log in as:
$phpBBusername = $_SESSION['username'];
$phpBBpassword = $_SESSION['pswd'];
$result = $auth->login($phpBBusername, $phpBBpassword);
Maybe you've already found the answer but anyway:
<?php
define('IN_PHPBB', true);
$phpbb_root_path = '../phpBB3/';
$phpEx = substr(strrchr(__FILE__, '.'), 1);
include("../phpBB3/common.php");
$user->session_kill();
echo 'Logged out successfully!';
?>
Why not call the PHPBB log out routine and pass your session ID. ie: forums.yourphpbbforum.com/ucp.php?mode=logout&sid=d8588ab20cf81e7234342523
public function myphpbb_logout()
{
define('IN_PHPBB', true);
global $phpEx, $user, $db, $config, $cache, $template;
$phpEx = 'php';
$phpbb_root_path = ('.\/forum\/');
require_once($phpbb_root_path . 'common.php');
set_include_path(get_include_path.PATH_SEPARATOR.$phpbb_root_path);
//logout user
$user->session_kill();
$user->session_begin();
$user->session_kill();
}
Note you need to kill the session TWICE :)
Observe the following code for effecting a full clearing down of the PHP session and associated cookie information:
<?php
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
?>
This should do what you need.