I'm trying to unset/delete/expire cookies on a logout page. However, it doesn't seem to be working. My logout script reads as follows:
require_once("database.php"); // contains session_start()
$_SESSION = array();
session_destroy();
// attempts to unset cookies go here (see below)
var_dump($_SERVER['HTTP_COOKIE']);
header("Location: ./login.php");
exit();
My three attempts to remove a specific cookie login (or all of them), are as follows:
Attempt 1:
setcookie("login", "", time() -3600, "/");
Attempt 2:
$cookies = explode(";", $_SERVER['HTTP_COOKIE']);
foreach ($cookies as $cookie) {
$parts = explode("=", $cookie);
$name = trim($parts[0]);
setcookie($name, "", time() -3600);
setcookie($name, "", time() -3600, "/");
}
Attempt 3:
unset($_COOKIE);
However my var_dump() still contains the cookies!
Also, the page you're then redirected to, login.php contains the following code:
if (isset($_COOKIE['login'])) {
echo "Still set."
}
and low-and-behold, the page displays Still set.
First of all remove all cookies from any available Cookie tools or your browser's developer tool.
Always write COOKIES as '/' with respect to entire domain of site. Path play an important role when we set/unset cookies. Use
setcookie($cookie_name, "$cookie_value", time() +3600, "/") to set and setcookie($cookie_name, "$cookie_value", time() -360000, "/") to unset COOKIES.
Further read here for about COOKIES path: http://www.w3schools.com/php/func_http_setcookie.asp
Hope it helps you
Related
I am maintaining the code for an eCommerce website, they use a highly modified version of osCommerce v2.2 RC2. Was noticing an issue where the session isn't started for a new user until they visit the 2nd page of the site.
Looking at the code, before starting the session, it tries to set a cookie. If it detects the cookie it starts the session. Something along this line:
setcookie('cookie_test', 'please_accept_for_session', time()+60*60*24*30, $cookie_path, $cookie_domain);
if (isset($_COOKIE['cookie_test'])) {
session_start();
...
I found an article here that talks about a situation like this, it states:
The first time you only tell the browser to set the cookie, at the time, there is no cookie data in the request header (which could get from $_COOKIE).
Which explains why it takes two page loads for the session to be started. One to set the cookie and one to get notification from the browser that the cookie is set.
My question is, is there anyway around having to go through two page loads to detect the cookie was successfully set on the users browser?
I found this question that didn't really answer my question completely. The highest voted solution was:
setcookie('uname', $uname, time()+60*30);
$_COOKIE['uname'] = $uname;
Which may make it "work" but it doesn't truely tell me that the script was able to set a cookie successfully.
I also found this question, that suggested accessing the headers_list to find the cookie information like so:
function getcookie($name) {
$cookies = [];
$headers = headers_list();
// see http://tools.ietf.org/html/rfc6265#section-4.1.1
foreach($headers as $header) {
if (strpos($header, 'Set-Cookie: ') === 0) {
$value = str_replace('&', urlencode('&'), substr($header, 12));
parse_str(current(explode(';', $value, 1)), $pair);
$cookies = array_merge_recursive($cookies, $pair);
}
}
return $cookies[$name];
}
// [...]
setcookie('uname', $uname, time() + 60 * 30);
echo "Cookie value: " . getcookie('uname');
Which, again, doesn't seem to be verifying that the cookie was set successfully. All this appears to do is search the headers being sent to the browser for the cookie value.
The only solution I can think of is to redirect on the first visit after setting the cookie. Is there any other way?
Here is the answer:
<?php
function set_cookie($name, $value) {
if (!isset($_COOKIE[$name]) || ($_COOKIE[$name] != $value)) {
$_COOKIE[$name] = $value;
}
setcookie($name, $value, strtotime('+1 week'), '/');
}
// Usage:
set_cookie('username', 'ABC'); //Modify the value to see the change
echo $_COOKIE['username'];
Can Not Delete Session And Cookie
I am new to PHP sessions.
I have used cookies plenty in the past.
I can't seem to get rid of this cookie - no matter what I do!
I seem to be able to clear the session - but the cookie remains.
I have tried all of these: .. and MORE:
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
if (isset($_SERVER['HTTP_COOKIE'])) {
$cookies = explode(';', $_SERVER['HTTP_COOKIE']);
foreach($cookies as $cookie) {
$parts = explode('=', $cookie);
$name = trim($parts[0]);
setcookie($name, '', time()-1000);
setcookie($name, '', time()-1000, '/');
}
}
?>
above from: http://php.net/manual/en/function.session-destroy.php
<script>
var cookies = document.cookie.split(";");
for (var i = 0; i < cookies.length; i++)
eraseCookie(cookies[i].split("=")[0]);
</script>
What would be some of the reasons why the cookies does not delete?
This is because of the working of a session in php. What happens is when you start a session a unique string is generated which acts as the cookie value for the session . All the data that you are storing inside the session are stored in a file corresponding to the unique string. Now when you destroy a session it does not destroy the session string but rather than that it destroys the values corresponding to that string that is stored on the server.
So even though the cookies are there but there is no data corresponding to it and hence for the next request the session would effectively be empty.
I have this code that setted when login check is fine:
if((isset($_POST["remember_me"]))&&($_POST["remember_me"]==1))
{
setcookie('email', $username, time()+3600);
setcookie('pass', $pass, time()+3600);
}
Now, when I click on logout link (logout.php)
i did this:
<?php session_start();
setcookie("email", '', 1, "");
setcookie("pass", '', 1, "");
$_SESSION["login"] = "";
header("location: aforum/enter_furom.php");
?>
I didn't use destroy session because I don't want to destroy all sessions....
now destroying a session is working fine... but when I try to unset cookies, the browsers (all browsers: explorer, chrome, firefox, mozilla) give me an error saying that the new cookies cant be setted...any help to unset the above cookies ?
either use the superglobal _COOKIE variable:
unset($_COOKIE['mycookiename']);
or call setcookie() with only the cookies name
setcookie('mycookiename');
To reset your cookies at logout use:
setcookie('pass');
setcookie('email');
For you login check:
if(
isset($_POST["remember_me"]) &&
$_POST["remember_me"]==1 &&
$_COOKIE['pass'] != NULL &&
$_COOKIE['email'] != NULL &&
)
setcookie('cookiename', '', time()-3600);
unset($_COOKIE['MYCOOKIE']);
//
setcookie('MYCOOKIE', '', -1, '/');
Care for header "Cannot modify header information.." you can also
use html or javascript for redirect
header("Location: /");
//
echo '<meta http-equiv="refresh" content="0;URL=/">';
//
echo '<script>window.location.replace("/");</script>';
I prefer to check with isset and than unset | setcookie
if(isset($_COOKIE['MYCOOKIE'])) { unset($_COOKIE['MYCOOKIE']); }
//
if(isset($_COOKIE['MYCOOKIE'])) { setcookie('MYCOOKIE', '', -1, '/'); }
this seems to work too, but don't use it in my opinion
setcookie('MYCOOKIE', '', -1, '/') ?? '';
!isset($_COOKIE['MYCOOKIE']) ?: setcookie('MYCOOKIE', '', -1, '/');
Check in your browser for the directory where the cookie operates. And unset it by specify the path the cookie have. Like in the example if the cookie directory is /aforum/
setcookie ("email","",time()-1,"/aforum/","http:// yourdomain.com");
Just set the value of cookie to false in order to unset it,
setcookie('cookiename', false);
That's the easiest way to do it.
To unset cookies in PHP, simply set their expiry time to a time in the past. For example:
$expire = time() - 300;
setcookie("email", '', $expire);
setcookie("pass", '', $expire);
try this
setcookie ("email", "", time() - 3600);
setcookie ("pass", "", time() - 3600);
You need to set your expire time to the past, e.g.
setcookie('email', '', time()-3600);
Also you should be using an Absolute URI for your header('Location:' ....).
In Chrome and IE8+ at least, the following will remove the cookie from the browser. It will not be reflected in the $_COOKIE array until the page is reloaded however.
setcookie('cookiename','',0,'/',$cookieDomain)
you may be able to leave off a few parameters here, but the important thing is you are setting an empty string, and that removes the cookie from the browser.
I've got a problem, user can't Log Out because the $_COOKIE's are not actually deleting. I can't find out what could be the problem.
This code is used only once at Log In:
// Log In
$_SESSION['user_id'] = $row['user_id'];
$_SESSION['username'] = $row['username'];
setcookie('user_id', $row['user_id'], time() + 2592000);
setcookie('username', $row['username'], time() + 2592000);
The code below is checking if cookies are set up to make users to be logged in when they relaunch their browser (the "keep me logged in" effect).
// Starting Session
session_start();
// If the session vars aren't set, try to set them with cookies
if (!isset($_SESSION['user_id'])) {
// This check always equals true because cookies are not deleting on Log Out
if (isset($_COOKIE['user_id']) && isset($_COOKIE['username'])) {
$_SESSION['user_id'] = $_COOKIE['user_id'];
$_SESSION['username'] = $_COOKIE['username'];
}
}
This code is launched only once on Log Out:
// Log Out
session_start();
if (isset($_SESSION['user_id'])) {
$_SESSION = array();
if (isset($_COOKIE[session_name()])) {
setcookie(session_name(), '', time() - 2592000, '/');
}
session_destroy();
}
setcookie('user_id', '', time() - 2592000);
setcookie('username', '', time() - 2592000);
Don't use relative times for cookies. if you want to expire a cookie, then use Jan 1 1970 00:00:00. You're assuming that the user's clock is accurate and within an hour of your server's. Given how many people have their VCRs blinking 12:00, this is a bad assumptiong.
As well, why are you storing login information in a client-side cookie? The only cookie you should really be setting is the session cookie, which session_start() already does for you, then store all that information in $_SESSION only.
I think you're doing it way too complicated.
My example where it's just an admin login:
login.php
#session_start();
if (isset($_GET['login'])) {
if($_GET['name'] == $s['admin']){
if($_GET['pw'] == $s['adminpw']){
$_SESSION['isadmin'] = true;
}
}
}
logout.php
#session_start();
unset ($_SESSION['isadmin']);
use session_set_cookie_params() to set the lifetimes
I found why cookies were not removing!
To make sure your cookies will remove, set the same path on removing cookies as on setting them.
// Setting Cookie
setcookie(session_name(), '', time()-2592000, '/'); // The path here is "/"
// Removing Cookie
setcookie(session_name(), '', time()+2592000, '/'); // The path here is "/"
I'm trying to troubleshoot a logout function for a web app. When you're logged in, the app has several cookies set for its domain. Here's the current logout procedure:
You click a link, which sends you to a logout page
The logout page runs a function that calls session_destroy() and also loops through all the cookies for the domain and sets them to expire in the past (see code below)
The logout page then redirects to a login page, which is straight HTML.
At the end of this process, all the other cookies are unset, but the PHPSESSID cookie is still there, has the same value, and is still set to expire at the end of the session.
What am I missing here?
Here's the logout function I mentioned above:
function log_out_current_user() {
// Destroy the session
if (isset($_SESSION)) {
session_destroy();
}
// Expire all of the user's cookies for this domain:
// give them a blank value and set them to expire
// in the past
if (isset($_SERVER['HTTP_COOKIE'])) {
$cookies = explode(';', $_SERVER['HTTP_COOKIE']);
foreach($cookies as $cookie) {
$parts = explode('=', $cookie);
$name = trim($parts[0]);
setcookie($name, '', time()-1000);
setcookie($name, '', time()-1000, '/');
}
// Explicitly unset this cookie - shouldn't be redundant,
// but it doesn't hurt to try
setcookie('PHPSESSID', '', time()-1000);
}
}
You are not removing it with the same parameters as it was created. Use session_get_cookie_params to obtain those. To be portable you should get the name of the cookie via session_name. Here's a small script to do that:
$params = session_get_cookie_params();
setcookie(session_name(), '', 0, $params['path'], $params['domain'], $params['secure'], isset($params['httponly']));