We Keep Coding

PHP - Cookie and Session Doesn't get Deleted Permanently

I trigger the function below in all my web pages.
function refresh_user_auth() {
if (isset($_COOKIE["UserID"])) {
$_SESSION["UserIDS"] = $_COOKIE["UserID"];
setcookie("UserID", $_COOKIE["UserID"], time() + (86400 * 30), "/");
}
elseif (isset($_SESSION["UserIDS"])) {
$_SESSION["UserIDS"] = $_SESSION["UserIDS"];
setcookie("UserID", $_SESSION["UserIDS"], time() + (86400 * 30), "/");
}
}
I use the function below to log out but it doesn't seem to have logged me out when I visit other web pages on the website.
function unset_user_auth() {
if (isset($_COOKIE["UserID"])) {
unset($_COOKIE['UserID']);
$_COOKIE = array();
setcookie('UserID', '', time() - 36000);
}
if (isset($_SESSION["UserIDS"])) {
unset($_SESSION['UserIDS']);
$_SESSION = array();
session_destroy();
setcookie('UserIDS', '', time() - 36000);
}
}
Please, what am I doing wrong?

I'm not sure why you have to do that separately for cookie and session, you can do that all at once. When logging out, it isn't required to check if cookies are set and/or session is set if you're going to destroy both anyway (unless you have an option to save cookie for 'Remember me' function).
Here's an example from a comment in the PHP documentation for session_unset() function page. You could always refer to PHP documentation when in doubt. You'll find ample examples and use cases in the comments.
<?php
session_start();
session_unset();
session_destroy();
session_write_close();
setcookie(session_name(),'',0,'/');
session_regenerate_id(true);
?>

Warning: session_destroy(): Trying to destroy uninitialized session

my class.inc file:
<?php
class logout{
public function logout(){
$_SESSION = array();
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000, $params['path'], $params['domain'], $params['secure'], $params["httponly"]);
}
session_destroy();
}
}
?>
used code for my logout:
session_start();
require($path."include/class.inc");
if(!empty($_GET['logout'])){
$object=new logout();
$object->logout();
$content='5;url='.$path.'index.php';
}
When the logout function is called, it destroys the session, but shows the warning:
Warning: session_destroy(): Trying to destroy uninitialized session in class.inc on line 9
I am unable to troubleshoot, as the session is not being destroyed by any other means before the session_destroy() of class.inc.

You have to call the function mentioned below at the top your logout function in the logout class.
session_start();
Add the above function and try it out. If you don’t start the session at the top of your file, it will throw exceptions like “headers already sent”, “can’t start the session”, etc.

This error is common when you haven't started the session beforehand
if (!isset($_SESSION))
{
session_start();
}

https://www.php.net/manual/en/function.session-status.php
if (session_status() === PHP_SESSION_ACTIVE)
session_destroy();

I encountered the session_destroy() error message when I started using session_write_close(). To determine if session_destroy() should be called or not, I had to do the following:
class Session {
public static function start() {
self::$haveSession = true;
session_start();
}
public static function finish() {
session_write_close();
self::$haveSession = false;
}
public static function clear() {
if (self::$haveSession) {
session_unset();
session_destroy();
}
}
}
In PHP >= 5.4 it should work to replace if (self::$haveSession) with if(session_status() === PHP_SESSION_ACTIVE).

You can add this code to start a session if it didn't start before
if(!session_id()) {
session_start();
}

Start your session
session_start(); and you can destroy your session
<?php
session_start();
class logout{
public function logout(){
$_SESSION = array();
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000, $params['path'], $params['domain'], $params['secure'], $params["httponly"]);
}
session_destroy();
}
}
?>

You'll have to call session_start() before you call session_destroy();
Are you storing session in data in files or in a database. If you are storing it in a database, I normally just delete the record from the session table that corresponds to the session id, that way you don't have to unregister each session var and it actually deletes the whole session.

Start session after destroy php

I have a logout file for my web application. I would like to create a session after the logout so that I can echo a logout success message. My logout code works but I am unable to create a new session after destroying the previous one.
What is the best way to do this, see code:
//LOGOUT.PHP
session_start();
//// unset all $_SESSION variables
session_regenerate_id();
session_unset();
session_destroy();
$_SESSION['logoutsuccess'] = 'You have successfully logged out.';
header("Location: /login/");
exit;
//LOGIN.PHP (ECHO SUCCESS MESSAGE)
if(isset($_SESSION['logoutsuccess']))
{
echo '<div class="success">'.$_SESSION['logoutsuccess'].'</div>';
unset($_SESSION['logoutsuccess']);
}
I would like to avoid passing variables in the url if possible.

Call session_start() again after session_destroy()?

Just start a new session:
session_start();
session_destroy();
session_start();
$_SESSION['food'] = 'pizza';

Instead of trying to store it as a session variable, you could check the referer and check for /logout/
if(strpos($_SERVER['HTTP_REFERER'], 'logout') !== false) {
echo 'You have successfully logged out.';
}

session_id($session_id_to_destroy);
session_start();
session_destroy();
session_commit();

preserving a session variable after session_destroy()

from my logout.php :
<?php require_once("includes/session.php"); ?>
<?php require_once("includes/functions.php"); ?>
<?php
if ( isset( $_SESSION['colony_id']))
$cookie = $_SESSION['colony_id'] ;
$_SESSION = array();
if(isset($_COOKIE[session_name()])) {
setcookie(session_name(), '', time()-42000, '/');
}
session_destroy();
//this fails- session_start() ;
if ( !empty($cookie))
$_SESSION['colony_id'] = $cookie ;
// redirect_to("login.php?logout=1");
?>
I want to end the current session and then start a new session, with one of the variables from the old session in the new session. I tried adding a second session_start statement, but that had no effect. What else can I do ?
Thanks
Edit: I decided to redirect to a new page, on which a fresh session_start() statement created a new session

See this link :
http://bugs.php.net/bug.php?id=38042
it's a bug in php and it has a patch.

You could put the session variable into a normal variable, and then destroy the session and put it back in the session after you create a new one.

If you jsut have one variable you want to save, and you absolutly want to destroy the session:
Save the variable to a local variable, destroy the session, start a session, and then reload th session variable...
$localvar = $_SESSION['variable'];
session_destroy();
session_start();
$_SESSOIN['variable'] = $localvar;

Alternative to session_is_registered()

What is the alternative to the deprecated function session_is_registered() in PHP 5?
Here's my code:
ob_start();
session_start();
if(!session_is_registered(myusername))
{
header("location:main_login.php");
}
ob_flush();

"You need to set and reference $_SESSION variables only." For example:
if( isset($_SESSION[$myusername]) )
From http://www.phpfreaks.com/forums/index.php?topic=263189.0

on a side note, best use $_SESSION['username'] = $myusername;. Using the $_SESSION[$myusername] as a variable may overwrite existing variables in the session.

But if you set anything in the session variable it will display you the protected page:
e.g.,
<?php
session_start();
if(isset($_SESSION[$myusername])){
echo "welcome to protected page.";
}
else {
header('location:login.php');
die;
}
?>

Use session_id()
if (!session_id()) {
// do stuff
}
if there is no session id nothing will be returned. (docs - session_id() )