So, i ve been trying to regenerate session ids in my page, if someone logs in or logs out. I run this code:
public static function regenerateSession() {
$_SESSION = array();
session_regenerate_id( true );
return true;
}
in a script called by ajax. i log the session vars in every step, and indeed, the session id changes and the $_SESSION array empties. i then, on the same page i load some new variables to the $_SESSION under the new session id, echo something and then the script ends.
Upon success, the javascript getting the echo of this php script, redirects to another page, where i log the session vars as well. after session_start() on the new page, i get in my logs, that the session, has the indeed the new id after regeneration, the new variables i assigned after the regeneration, but also the session variables of the previous session with their previous values!
i checked my php.ini and my session.cookie_secure is commented out. i uncommented it, i changed it to 0, restarted apache and yet nothing new. Does anyone have any idea about what am i doing wrong?
update 1:
i tried this code as well:
public static function regenerateSession() {
$_SESSION = array();
setcookie(session_name(), '', time() - 42000);
session_regenerate_id( true );
return true;
}
but with the same effect...
update 2
i also tried:
public static function regenerateSession() {
$_SESSION = array();
session_unset();
setcookie(session_name(), '', time() - 42000);
session_regenerate_id( true );
return true;
}
but still nothing
update 3
i also tried:
public static function regenerateSession() {
setcookie(session_name(), '', time() - 42000);
session_destroy();
$_SESSION = array();
session_start();
session_regenerate_id( true );
return true;
}
nothing. the old values are still kept along side the new ones
Taking a guess, the browser sends both sessions cookies and PHP just merges both found sessions together?
The best way would be to set the old session cookie to a zero lifetime such that the client deletes the cookie and does not send it again.
Destroy the session if needed, but you need to do all three things if you want to remove the session completely
Remove cookie setcookie(session_name(), '', time() - 42000);
Destroy session session_destroy();
Empty session vars $_SESSION = array();
Start a new session session_start();
Also take a look at this answer to a similar question: https://stackoverflow.com/a/758825/1234469
Related
!!!! I know this has been asked a zillion times but I tried everything, it just does not work so dont discard the question please
when logging from one user to the other, sessions are not discared at all and former user data are displayed
I have to CTRL+F5 the navigator to have the correct new logged user data
I tried :
problematically I replace everything in the session variable with fresh new data from the new logged user (from DB), but some fields are still remains of the previous user...this makes no sens at all
$_SESSION = array();
unset($_SESSION["end_user_session"]);
$session=$endUser; // from DB !!!!
$session["sessionID"]=session_id();
$_SESSION["end_user_session"] = $session;
on logout , I do this and it should destroy the session values, yet they are still there:
$_SESSION = array();
session_unset();
session_destroy();
session_write_close();
setcookie(session_name(),'',0,'/');
$_SESSION = array();
this has driven me nuts for more than 2 years now
we have the issue in wamp, and on our linux preprod/prod
please help, let me know if you need more infos
You have probably tried this (it's in the PHP manual), but just in case:
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
?>
I now stores everything in db, not using php sessions anymore
problem solved
I have heard mixed responses on this topic, so what is a sure fire way to destroy a PHP session?
session_start();
if(isset($_SESSION['foo'])) {
unset($_SESSION['foo'];
...
}
session_destroy();
In the most simple of cases, would this sufficient to truly terminate the session between the user and the server?
To destroy a session you should take the following steps:
delete the session data
invalidate the session ID
To do this, I’d use this:
session_start();
// resets the session data for the rest of the runtime
$_SESSION = array();
// sends as Set-Cookie to invalidate the session cookie
if (isset($_COOKIE[session_name()])) {
$params = session_get_cookie_params();
setcookie(session_name(), '', 1, $params['path'], $params['domain'], $params['secure'], isset($params['httponly']));
}
session_destroy();
And to be sure that the session ID is invalid, you should only allow session IDs that were being initiated by your script. So set a flag and check if it is set:
session_start();
if (!isset($_SESSION['CREATED'])) {
// invalidate old session data and ID
session_regenerate_id(true);
$_SESSION['CREATED'] = time();
}
Additionally, you can use this timestamp to swap the session ID periodically to reduce its lifetime:
if (time() - $_SESSION['CREATED'] > ini_get('session.gc_maxlifetime')) {
session_regenerate_id(true);
$_SESSION['CREATED'] = time();
}
The PHP Manual addresses this question.
You need to kill the session and also remove the session cookie (if you are using cookies).
See this page (especially the first example):
http://us2.php.net/manual/en/function.session-destroy.php
In the one site I've made where I did use PHP sessions, I never actually destroy the session.
The problem is that you pretty much have to call session_start() to check for your $_SESSION variables, at which point, lo and behold, you've created another session anyway.
Hence on my site I just made sure that every page called session_start(), and then just unset() those parts of the session state that matter when the user logs off.
$_SESSION = [];
#unset($_COOKIE[session_name()]);
session_destroy();
I am new to PHP sessions and am looking for some help with the following:
I start a session on a page as follows which works as intended so far:
session_start();
// ...
$_SESSION["User"]["login"] = "loggedIn";
$_SESSION["User"]["username"] = $email;
Now if a the user wants to log out I also want to destroy this session (incl. deleting its data and unsetting its variables etc.). When searching for guidelines on this I came across the following on the PHP Manual but I am not sure how to apply this and I don't understand what the lines in the ini part really do.
Can someone help me with this and maybe also provide some short explanations on this ?
My current code to destroy the session:
session_start();
// ...
$_SESSION = array();
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$_SESSION["User"]["login"] = "",
$_SESSION["User"]["username"] = ""
);
}
session_destroy();
Many thanks in advance.
This is what PHP manual says
session_destroy() destroys all of the data associated with the current
session. It does not unset any of the global variables associated with
the session, or unset the session cookie
Checkout the PHP Manual
You can use unset($_SESSION);
OR
$_SESSION = array();
This will also empty the Session datas
You don't need to destroy $_SESSION, PHP Garbage Collector do this automatically.
Just set $_SESSION["User"]["login"] = false and everywhere you need to check user login, check
if ($_SESSION["User"]["login"]) {
// do something
} else {
echo "You don't have access";
}
What I am trying to do:
When a user hits the index.php page (the start of a couple pages of forms), I need any existing session to be destroyed and a new one to start. This is so that old session variables are not reused in the new process.
What I have done:
I believe this should check if a session already exists, if it does, destroy it and start a new one. (Need to use session_id() for the check)
if(session_id() == '') {
session_start();
}else{
session_destroy();
session_start();
}
The issue:
The previous session variables are still set and causing issues with the process.
Am I missing something in the way to reset all session varibles?
In documentation you can read:
session_destroy() destroys all of the data associated with the current
session. It does not unset any of the global variables associated with
the session, or unset the session cookie. session_destroy();
So you have to do following things:
$_SESSION = array(); //empty session variable
$cookieParams = session_get_cookie_params();
setcookie(
session_name(),
'',
0,
$cookieParams['path'],
$cookieParams['domain'],
$cookieParams['secure'],
$cookieParams['httponly']
);
session_destroy(); //and now you can call your function
I am at a total loss for words.
I allow an admin to reset their registration if reaching an error during the process. In theory, the following code should function like this:
page is reached, $adminvalidated is set based on session data. The $_SESSION array is cleared; the cookie is cleared on the consumer end; the session id is regnerated and the session is destroyed. Then the session is restarted and the previously mentioned variable is put back into Session.
the "echo" statements included below work but when I redirect to another page (commented out below), the session variables DO NOT carry over.
Yes I have started the session on the follow up page as well.
<?php
session_start();
ob_start();
if( $_SERVER['SERVER_PORT'] == 80) {
header('Location:https://'.$_SERVER['HTTP_HOST'].$_SERVER["REQUEST_URI"]);
die();
}
$adminvalidated = $_SESSION['ADMINVALIDATED'];
$_SESSION = array();
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_regenerate_id(true);
session_destroy();
session_start();
$_SESSION['ADMINVALIDATED'] = $adminvalidated;
echo $_SESSION['ADMINVALIDATED'];
/*
header("Location: ../a.php");
exit;*/
?>
In general it suffices to call session_regenerate_id(true) to change the session ID of the current session and invalidate the association with the previous session ID.
If you additionally want to clear any session data except $_SESSION['ADMINVALIDATED'], just do this:
session_regenerate_id(true);
$_SESSION = array(
'ADMINVALIDATED' => $_SESSION['ADMINVALIDATED']
);
From the manual page of session_start:
As of PHP 4.3.3, calling session_start() after the session was previously started will result in an error of level E_NOTICE. Also, the second session start will simply be ignored.
Just clear your session with session_unset, regenerate the session id and then reset your admin var. No need to destroy then restart the session.
I'm really not sure why you're going through all of these steps. session_regenerate_id() is enough on it's own to regenerate the session token and the associated cookie. The function creates a new session token and creates a new session cookie for you while preserving the values you have in the current session. Since setting a new cookie with the same name overwrites an old one isn't simply calling session_regenerate_id() enough?
Feel free to clarify things if I've missed something.