I have a script that logs out the user (logout.php) and it works perfectly fine in FF and IE, but in Chrome the cookie is still available even after the browser has been closed.
I have tested with this bit of code:
logout.php
session_start();
$_SESSION['un'] = '';
$_SESSION['pw'] = '';
unset($_SESSION['un']);
unset($_SESSION['pw']);
setcookie("spf", "", time()-3600);
session_destroy();
echo "Cookie: ".$_COOKIE['spf']."<br />";
echo "Session: ".$_SESSION['un'];
In Chrome it will still echo out with content for spf despite everything. What am I doing wrong?
Edit:
In FF my testpage echoes this:
Cookie:
Session:
(e.g. blank both).
In Chrome it says this:
Cookie: {\"un\":\"test3333\",\"pw\":\"593c114983263124656dd6bb922b7bd8\"}
Session:
(e.g. the cookie has content and the session is blank).
You can try:
$_SESSION=array(); // assign an empty array to the session
OR
session_unset(); // unset $_SESSION variable for the run-time, frees all session variables currently registered.
INFO
AND THEN :
session_destroy(); // destroy session data in storage
NOTE:
session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.
In order to kill the session altogether with session_destroy(), like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
TAKEN FROM:
INFO
UPDATE:
Then i think you need this, note that spf is the name of the cookie
setcookie ("spf", "", time() - 3600);
if it is an array change the name to spf[one] ex:
setcookie ("spf[un]", "", time() - 3600);
take a look HERE
Set a date in the past and it will do the trick, also don't forget to add a path so you delete the good one.
setcookie('your_cookie', '', time()-3600,'/');
Related
I have used session_destroy in MVC pattern.
If I click logout link, it will redirect correct url but page disappears. It is displaying the below error in Firefox.
The page isn't redirecting properly
Firefox has detected that the server is redirecting the request for this address in
a way that will never complete.
This problem can sometimes be caused by disabling or refusing to accept cookies."
This is the function I'm using for logout.
Logout function:(Not working)
public function Logout(){
session_destroy();
$this->redirect('index.php?r=admin/login');
}
I have unset($_SESSION['userName']) the session variable. It is working fine. But session_destroy is not working in that place.
What is the reason for that?
Logout function:(working)
public function Logout(){
unset($_SESSION['userName']);
$this->redirect('index.php?r=admin/login');
}
you can use another way to remove session like:-
$_SESSION = array(); // define it with empty array and clear the session values
or use start the session again and then destroy
session_start();
session_destroy();
For more :- why session_destroy() not working
and for better understanding you can read #Chen Asraf answer
From the PHP documentation of session_destroy:
session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
So in order to truly get rid of the session, you also have to unset or override the $_SESSION superglobal, like you did before.
Here is a code I destroy the session but it still working.
<?php
session_start();
$_SESSION['name'] = 'Arfan';
$_SESSION['second_name'] = 'Haider';
echo 'My full name is '.$_SESSION['name'].$_SESSION['second_name'].'<br/>';
unset($_SESSION['second_name']);// unset the second_name session
echo 'My name is '.$_SESSION['name'].$_SESSION['second_name'].'<br/>';// work fine error popup
session_destroy();// Destroy all the session
echo $_SESSION['name']; // session is working here.
?>
As you can see at the end of the code session is also working why?
From docs:
In order to kill the session altogether, like to log the user out, the
session id must also be unset. If a cookie is used to propagate the
session id (default behavior), then the session cookie must be
deleted. setcookie() may be used for that.
Example:
session_start();
session_unset();
session_destroy();
session_write_close();
setcookie(session_name(),'',0,'/');
session_regenerate_id(true);
After using session_destroy(), the session cookie is removed and the session is no longer stored on the server. The values in $_SESSION may still be available, but they will not be on the next page load.
If you want to clear a session completely, you can use:
session_start();
session_destroy();
$_SESSION = array();
<?php
session_start();
$_SESSION['logged_in'] = false;
setcookie("dsgpassword127", $password, time()-3600); /* expire the cookie */
setcookie("dsgemail127", $email, time()-3600); /* expire the cookie */
session_destroy();
header("location: index.php");
?>
The code above which works very well in Chrome will not remove the cookies in FireFox 14.0.1. I am wondering why this is, if anyone has experienced the same problem or if there is a solution to this conundrum I am in when it comes to expiring these cookies....
According the manual for sesion_destroy():
session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. ...If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
Hard to explain why Chrome is unsetting the cookie, but it's Chrome's behavior that appears to be aberrant, not that of Firefox.
But the presence of an old cookie pointing to a dead session should not be problematic. The server should create a new session - with empty session data - and send back a cookie pointing to the new session.
In fact, saving unencrypted users and passwords on the client is probably ill-advised. Are you sure you need that? Storing that info on the server-side is probably more common, with the client-side only given his the session cookie.
I uninstalled FireFox and reinstalled the latest version which is 15.0. This time when FireFox asked me to remember the password automatically I requested it not do so. Now the browser is reacting normally. I suspect that the same would have been the case also in 14.0.1 in regards to the "Remember password" feature.
Just set the cookie expiration to 1 like so:
setcookie("dsgpassword127", $password, 1); /* expire the cookie */
setcookie("dsgemail127", $email, 1); /* expire the cookie */
Basically the third parameter is the number of seconds since epoch. 1 sets it to 1 second after epoch and so there is not need to worry about time() and all. Check if that helps in firefox.
In my working platform i endedup with a session_destroy problem
function logout()
{
$_SESSION['id'] = '';
session_destroy();
}
Here i unset the session id variable with a null value and uses the session_destroy() function to destroy the session.
But the problem is that after logged out from my account, when i press the back button of the browser it shows the status as logged in. Even i can browse through the profile and links of my account.
Thank you
you must unset session as well as destroy session to remove it completely from your system.
you can do it with php functions..
session_unset(); or you can use unset($_SESSION);
session_destroy();
it think you should try using session_unset()
In order to kill the session altogether, like to log the user out, the session id must also be unset.
If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that
<?php
session_start();
$sessionName = session_name();
$sessionCookie = session_get_cookie_params();
session_unset();
session_destroy();
setcookie($sessionName, false, $sessionCookie['lifetime'], $sessionCookie['path'], $sessionCookie['domain'], $sessionCookie['secure']);
?>
Try this:
unset($_SESSION);
session_destroy();
session_regenerate_id();
Instead of rolling your own session code and possibly missing something, try using Zend_Session:
http://framework.zend.com/manual/en/zend.session.html
The constructor of Zend_Session_Namespace will automatically call session_start(), and likewise the Zend_Session::destroy() method will clean everything up in a logout script. Most of the work has already been done for you.
i've configured wamp in my system, and am doing the development cum testing in this local environment. i was working on the logout functionality, and happened to notice that the session ids being generated are same within the browser.
Eg - chrome always generates session id = abc, for all users even after logging out and logging in; IE always generates session id = xyz, for all users.
Is this an issue with wamp/ my test environment?
please find below my logout php script -
<?php
session_start();
$sessionid = session_id();
echo $sessionid;
session_unset();
session_destroy();
?>
You probably still have the cookie with the old session ID in it as neither session_unset nor session_destroy deletes that cookie:
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
So use setcookie to invalidate the session ID cookie after logout:
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
Another recommendation is to regenerate the session ID after successful authentication using session_regenerate_id(true).
Will work. Please try this
session_start();
session_regenerate_id(TRUE);
session_destroy();
You must regenerate the session id using function session_regenerate_id(). Without that, the session ID would be the same between page refreshes.
session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
Taken from http://php.net/manual/en/function.session-destroy.php
session_unset() and session_destroy() do not delete the session cookie. You have to manually unset it with a setcookie() call.
session_unset is the converse of session_register(), and session_destroy simply cleans out $_SESSION without affecting the cookie.
from the manual (session_destroy):
session_destroy() destroys all of the
data associated with the current
session. It does not unset any of the
global variables associated with the
session, or unset the session cookie.
To use the session variables again,
session_start() has to be called.
In order to kill the session
altogether, like to log the user out,
the session id must also be unset. If
a cookie is used to propagate the
session id (default behavior), then
the session cookie must be deleted.
setcookie() may be used for that.
Unless you specifically unset the cookie, then the cookie will still exist and the next time session_start() is called, it will use that as the session id. Closing the browser also should clear the cookie because they are generally set by php to expire on browser close.
To stop session hijacking follow the below code in PHP
session_start();
/* to stop session hijacking */
// Generate new session without destroying the old one
session_regenerate_id(false);
// Fetch current session ID and close both sessions to allow other scripts to use them
$newSession = session_id();
session_write_close();
// Assign session ID to the new one, and start it back up again
session_id($newSession);
session_start();