I have a form that includes SS numbers. I have done all the security/injections,spamming and validation stuff as it is not included in the question.
basically I want to destroy session data after the form emails both the user and the agent. and wipe the server clean afterward.
Do i do this like this on the final page of the form?
notes:
page 1 user will input all the data.
page 2 uses session to input the data into a conformation page that the user hits the submit button and the mailer mails the info and takes them to page 3 the success page
Technically once the data gets to page 2 I don't need the session anymore
<form id="form_958713" class="appnitro" method="post" action="mailer.php
<?php
// Initialize the session.
session_start();
// Unset all of the session variables.
$_SESSION = array();
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
?>
">
or do i do it on the mailer itself?
snippet:
// gives success or error
if(!$mail->Send()) {
echo 'Message could not be sent.';
exit;
}
echo '
<meta http-equiv="refresh" content="0;url=http://www.website.com/GetaQuoteSuccess.php">
';
// Initialize the session.
session_start();
// Unset all of the session variables.
$_SESSION = array();
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
?>
what is the best method/place to put the code to wipe the session?
Destroying the session is a very bad idea. In this site these 2 pages may be the only place you use $_SESSION but normally it is used for many things.
Instead try this concept :-
Form1.php ( the form that captures data from the user )
just posts data to form2.php
Form2.php
<?php
$session_start()
// validate $_POST of course, and once valid
$_SESSION['post_data'] = $_POST
// other code
header('Location: form3.php');
exit;
?>
Form3.php
<?php
session_start();
// use $_SESSION['post_data']['field1'] etc however you want
. . .
// at end of script if you no longer want this data
unset($_SESSION['post_data']);
// the post-data array will no longer exists in $_SESSION
// **But other data in $_SESSION is still there**
Oh but dont use unset($_SESSION); there be dragons
If you really need to destroy the whole session then do it at the end of the main script
Related
Can Not Delete Session And Cookie
I am new to PHP sessions.
I have used cookies plenty in the past.
I can't seem to get rid of this cookie - no matter what I do!
I seem to be able to clear the session - but the cookie remains.
I have tried all of these: .. and MORE:
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
if (isset($_SERVER['HTTP_COOKIE'])) {
$cookies = explode(';', $_SERVER['HTTP_COOKIE']);
foreach($cookies as $cookie) {
$parts = explode('=', $cookie);
$name = trim($parts[0]);
setcookie($name, '', time()-1000);
setcookie($name, '', time()-1000, '/');
}
}
?>
above from: http://php.net/manual/en/function.session-destroy.php
<script>
var cookies = document.cookie.split(";");
for (var i = 0; i < cookies.length; i++)
eraseCookie(cookies[i].split("=")[0]);
</script>
What would be some of the reasons why the cookies does not delete?
This is because of the working of a session in php. What happens is when you start a session a unique string is generated which acts as the cookie value for the session . All the data that you are storing inside the session are stored in a file corresponding to the unique string. Now when you destroy a session it does not destroy the session string but rather than that it destroys the values corresponding to that string that is stored on the server.
So even though the cookies are there but there is no data corresponding to it and hence for the next request the session would effectively be empty.
I have this code for Login where I am storing following in the session variables:
if($do == "login") {
session_start();
$_SESSION["valid"] = true;
$_SESSION["studentUniqueId"] = $user_row['studentUniqueId'];
$_SESSION["loginName"] = $loginName;
$_SESSION["timeout"] = $now;
}
Session file looks likethis:
valid|b:1;studentUniqueId|s:5:"10001";loginName|s:13:"abc#gmail.com";timeout|s:19:"2015-07-01 18:26:32";
Also the code for logout where I am destroying the user session:
if($do == "logout") {
session_start();
$_SESSION = array();
session_unset();
session_destroy();
}
After logout the session files contains:
valid|b:0;
Even I have used session_destroy(), after logout the session file exist with valid|b:0; on my servers Temp directory and the size of the temp directory increases considerably.
I want to get rid of these files after session_destroy()/logout which is not the way now.
Is any way I am going wrong with the code.
Edit 2 :(erasing complete session data, you can use the below code)
ini_set('session.gc_max_lifetime', 0);
ini_set('session.gc_probability', 1);
ini_set('session.gc_divisor', 1);
Edit 1 (original) : Try this from PHP MANUAL
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Use this too
ini_set('session.gc_max_lifetime', 0);
ini_set('session.gc_probability', 1);
ini_set('session.gc_divisor', 1);
// Finally, destroy the session.
session_destroy();
?>
This question already has answers here:
How can I set a cookie and then redirect in PHP?
(6 answers)
Closed 9 years ago.
There are a lot of posts about that issue, nevertheless I'm unable to fix it. I try to delete a cookie in order to logoff the user in PHP and do a redirect afterwards:
$currentCookieParams = session_get_cookie_params();
session_set_cookie_params($currentCookieParams['lifetime'], '/', $currentCookieParams['domain'], $currentCookieParams['secure'], true);
session_name("PHPAUTH");
session_start();
$_SESSION = array();
if (ini_get("session.use_cookies"))
{
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000, $params["path"], $params["domain"], $params["secure"], $params["httponly"]);
}
session_destroy();
header("Location: http://localhost/Home/Index");
exit;
But the cookie is still there. When I disable the redirect, the cookie is deleted successfully. But with the redirect, the cookie isn't deleted anyway.
How can I ensure that the cookie is deleted with the redirect afterwards?
EDIT:
It seems my own code recreated the cookie in the next request. I want to check whether the user is still logged on and if not redirect to the login page:
$currentCookieParams = session_get_cookie_params();
session_set_cookie_params($currentCookieParams['lifetime'], '/', $currentCookieParams['domain'], $currentCookieParams['secure'], true);
session_name("PHPAUTH");
session_start();
if (!array_key_exists('angemeldet', $_SESSION) || !$_SESSION['angemeldet'])
{
header("Location: http://localhost/Account/LogOn");
exit;
}
How can I check this without recreating the cookie? Maybe a stupid question, but I'm quite confused at the moment...
I think a header() function must be above any other kind of function. If I'm right and you still want your programming format like that, you could try if this code would work:
if (ini_get("session.use_cookies"))
{
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000, $params["path"], $params["domain"], $params["secure"], $params["httponly"]);
}
session_destroy();
echo '<meta http-equiv="REFRESH" content="0;url=http://localhost/Home/Index">';
exit;
But of course, only if you like to do it so. I'm just giving you an example, and I'm not sure if combining <meta http-equiv="REFRESH" content="0;url=http://localhost/Home/Index"> with your syntax, would work.
I do the following to set my session, this works because the echo appears. but when I go to the next page or another the session is not there? what am I doing wrong?
$session_start();
if ($username==$dbusername&&$password==$dbpassword)
{
echo"<b>Login Successful</b><br><a href='systemadmin.html'><br>Click here to access the <strong>System Admin Page</strong></a>";
$_session['username']=$dbusername;
if($username == "admin")
{
$_session['admin'] = true;
}
I am trying to get the following to work with these sessions:
<?php
session_start();
if($_session['admin'] == true)
{
// do nothing
}else{
header( 'Location: home.html' ) ;
}
?>
Update:
the uppercase sessions work but now the sessions arent destroying when i use the logout.php
<?php
session_start();
session_destroy();
header("location: home.html");
?>
$_session should be => $_SESSION.
http://php.net/manual/en/reserved.variables.session.php
The first works because you are setting a 'normal' variable (which is available for the request).
UPDATE
To destroy the session:
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
?>
http://php.net/manual/en/function.session-destroy.php#example-4368
Additionaly you should always use exit(); after you do a redirect to prevent further execution of the script.
PHP Server/Session/Global variables are case sensitive. To PHP, $_SESSION is NOT the same variable as $_session, even though to you in English, they seem to be. You must use $_SESSION, not $_session in order to access the PHP Session variables as you are expecting.
You have to use exit(); after the header(); because the script doesn't always end right after the user redirects to a new page.
The name of the superglobal is $_SESSION in uppercase letters. Try changing that and see if it helps.
In case somebody knows, how can I make a hyperlink in PHP...
<?php
echo( 'Log-out' );
?>
that would not only to navigate to the first page, but also remove cookies?
Thanks!
You can make another page which clears all the cookies (i.e. sets them to expire in the past) and then redirects to index.php:
// page: clear.php
<?php
session_start();
$_SESSION = array();
session_destroy();
setcookie('cookie1', '', strtotime('-2 days'));
setcookie('cookie2', '', strtotime('-2 days'));
// etc.
header('Location: index.php');
exit();
I usually use the method prescribed by the manual:
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
?>
The only thing that remains is header('Location: index.php');
Submit a parameter in your link like index.php?logout=true, check for that parameter in your index.php and if set, delete cookies:
http://php.net/manual/de/function.setcookie.php
If you set the "lifetime" (expire) of a cookie to something in the past (or leave it out completely), it will be removed on the next pageload (do a Google search for "php delete cookie" to find help). Force a page reload, if needed.
You may also want to destroy the user's session.
Here's your HTML link
Log-out
And your PHP to handle to logging out
if(isset($_GET['logout'])) {
// clear the session variable, display logged out message
}
Use link like that:
<?php
echo( 'Log-out' );
?>
And index.php is:
<?php
$link = $_GET["link"];
if($link == "logout")
{
session_destroy();
}
?>
In the navigation menu:
Log out
In logout.php:
<?php
// kill the session
header('Location: index.php');
exit();
For killing the session, see the example at session_destroy() in the PHP manual.
Logout Link:
Log Out
logout.php
<?php
session_start();
session_destroy();
?>