I have built my logging in and out system but it seems to not work correctly in some browsers like chrome and firefox. The problem is that the browsers remember cookies even if they're meant to expire at session end.
Does anyone have a solution for that?
I'd just like to note that creating another cookie to monitor if it's supposed to remember or not is not a valid solution, there must be a more professional way.
Thank you in advance!
EDIT: I apologize I got confused. I'm not unsetting the cookie at all, the browser is supposed to destroy it when it's closed but it doesn't. That's the problem
Set the expiration date to the past
// set the expiration date to one hour ago
setcookie ("cookie", "", time() - 3600);
See this example from php manuals.
EDIT:
To delete cookies when the browser or the tab is closed, you can use javascript onunload.
<script>
window.onunload=function()
{
document.cookie = 'cookie =; expires=Thu, 01 Jan 1970 00:00:01 GMT;';
}
</script>
It will set the cookie expiration date to the past, on page unload.
To delete a cookie you need to set a negative time.
setcookie('cookie', '', time() - 3600);
Like PHP Doc says:
If set to 0, or omitted, the cookie will expire at the end of the
session (when the browser closes)
This is the idea of PHP but some Browsers don't do that. Just set a negative Time like
setcookie("cookie", "", time() - 10);
and it works.
Related
I'm struggling over an hour on how to delete cookies. I found out that to delete a cookie, its value must be set to past, so it expires. However if I try with time()-something or even time() nothing is done to cookie. However setting expiration time to time()+1 works. But I'd like to have the cookie deleted immediately. Not after 1 second.
So this works:
if (isset($_COOKIE['rememberme'])) setcookie('rememberme', 'del', time()+1, '/', 'localhost');
This doesn't do anything to the cookie, leaving it as it was before logout:
if (isset($_COOKIE['rememberme'])) setcookie('rememberme', 'del', time()-1, '/', 'localhost');
I think it is my browser's fault. If expiration time is set to past it displays the old cookie as it was before log out, however my script acts like this cookie doesn't exist. The browser is Iceweasel (Firefox on Debian).
I'm trying to make my login sessions last longer, so that people don't get logged out of my website too early. For example, making a blog post and losing it when they submit because php expired their cookie.
Ideally I'd like to give them say a 2 hour session where they won't be logged out, which will refresh every time they load the page (this code snippet below is before the header of each secure page)
This is what I am trying, but it comes up with an error for the setcookie() saying that there was a division by zero? What am I doing wrong here?
//How long sessions last
$hours = 2;
// php.ini setting required for session timeout.
ini_set('session.gc_maxlifetime',$hours*60*60);
ini_set('session.gc_probability',1);
ini_set('session.gc_divisor',1);
//Set the session parameters and start session
$sessionCookieExpireTime=$hours*60*60;
session_set_cookie_params($sessionCookieExpireTime);
session_start();
// Reset the expiration time upon page load
if (isset($_COOKIE[session_name()]))
{
setcookie(session_name(), $_COOKIE[session_name()], time() + $sessionCookieExpireTime, "/");
}
EDIT: Now working as the problem was non-standard quotes and apostrophes. Just in case anyone copies this code and uses it. Code above works now thanks!
If you would like you could add this for when your cookie expires:
time()+60*60*24*30
This is like saying that the cookie expires in 60secs, 60mins, 24h and so on. You should also check out a tutorial on cookies here: http://www.w3schools.com/php/php_cookies.asp
I'm trying to set a cookie with:
setcookie($cookie_name, $val, 0);
Or
setcookie($cookie_name, $val);
But when I close and re-open the browser (firefox, chrome) the cookie is still alive with the same value. How can I force it to delete when visit is over?
Thank you
To delete a cookie just set the expiry date to the past like so:
// Set the cookie in the past to ensure it is removed
setcookie($cookie_name, $val, time()-3600);
However, I do not think this is the issue in your case, as your code seems to be correct.
How are you testing for the cookie? You are probably setting it again before testing for it!
You will also want to make sure you are closing the browser not the tab. Closing a tab, does not end a session!
Try setting the value as null
setcookie($cookie_name, null);
You should try
setcookie($cookie_name, $val, time()-3600);
Try to use this code:
setcookie ("TestCookie", "", time() - 3600);// set the time to minus to remove the cookie.
I have experienced this similar problem with Chrome. Opening up the cookies panel in Web Developer Tools sometimes shows the cookie with Expires set to "Session". Upon closing the browser (not just the tab) and re-opening the browser this cookie still persists. A sure fire way to resolve this is to clear the cache. That seems to do the trick. Bottom line is that if the cookie is being shown as "session" in the browser tools, then you've set it correctly.
You may need to unset the cookie and then set it null like this:
unset($_COOKIE['cookie_name']);
setcookie ( 'cookie_name', null,-1 );
in the first line, you unset it and then set it to null in case any further problem.
OK, I'm stumped, and have been staring at this for hours.
I'm setting a cookie at /access/login.php with the following code:
setcookie('username', $username, time() + 604800, '/');
When I try to logout, which is located at /access/logout.php (and rewritten to /access/logout), the cookie won't seem to unset. I've tried the following:
setcookie('username', false, time()-3600, '/');
setcookie('username', '', time()-3600, '/');
setcookie('username', '', 1, '/');
I've also tried to directly hit /access/logout.php, but it's not working.
Nothing shows up in the php logs.
Any suggestions? I'm not sure if I'm missing something, or what's going on, but it's been hours of staring at this code and trying to debug.
How are you determining if it unset? Keep in mind that setcookie() won't remove it from the $_COOKIE superglobal of the current script, so if you call setcookie() to unset it and then immediatly print_r($_COOKIE);, it will still show up until you refresh the page.
Try pasting javascript:alert(document.cookie); in your browser to verify you don't have multiple cookies saved. Clear all cookies for the domain you're working on to make to sure you're starting fresh. Also ini_set(E_ALL); to make sure you're not missing any notices.
Seems to be a server issue. My last domain was pretty relaxed on PHP error handling while the new domain shows every error. I'm using both sites side by side and the old one removes the cookie as it should.
Is there perhaps a timezone issue here? Have you tried setting using something farther in the past, like time() - (3600*24)? PHP's documentation says that the internal implementation for deleting cookies uses a timestamp of one year in the past.
Also, you should be able to use just setcookie('username', false); without passing an expiration timestamp, since that argument is optional. Maybe including it is confusing PHP somehow?
How you use cookies data in your application?
If you read the cookies and check if username is not false or not '', then setting it to false or '' will be sufficient, since your application will ignore the cookies value.
You better put some security in cookies value, to prevent user change it's value. You can take a look of CodeIgniter session library, see how CI protect the cookies value using hash. Unauthorized value change will detected and the cookies will be deleted.
Also, CI do this to kill the cookies:
// Kill the cookie
setcookie(
$this->cookie_name,
addslashes(serialize(array())),
(time() - 31500000),
$this->cookie_path,
$this->cookie_domain,
0
);
You can delete cookies from javascript as well. Check here http://www.php.net/manual/en/function.setcookie.php#96599
A simple and convenient way, is to use this additional functions:
function getCookie($name) {
if (!isset($_COOKIE[$name])) return false;
if ($_COOKIE[$name]=='null') $_COOKIE[$name]=false;
return $_COOKIE[$name];
}
function removeCookie($name) {
unset($_COOKIE[$name]);
setcookie($name, "null");
}
removing a cookie is simple:
removeCookie('MyCookie');
....
echo getCookie('MyCookie');
I had a similar issue.
I found that, for whatever reason, echoing something out of logout.php made it actually delete the cookie:
echo '{}';
setcookie('username', '', time()-3600, '/');
I had the same issue; I log out (and I'm logged out), manually reload the index.php and then I'm logged in again. Then when I log out, I'm properly logged out.
The log out is a simple link (index.php?task=logout). The task removes the user from the session, and "deletes" (set value '' and set expiry in the past) the cookie, but index.php will read the user's auth token from the cookie just after this (or all) task (as with normal operations). Which will reload the user. After the page is loaded the browser will show no cookie for the auth token. So I suspect the cookie gets written after page finish loading.
My simple solution was to not read the cookie if the task was set to logout.
use sessions for authentication, don't use raw cookies
http://www.php.net/manual/en/book.session.php
Is there any way of instructing a web browser to completely delete one's cookie set with PHP?
I do not want to expiry it or wait for the browser to be closed.
With delete I mean to actually not have it listed inside the cookie's list anymore.
Try something like this to delete all cookies:
foreach ($_COOKIE as $name => $value) {
setcookie($name, '', 1);
}
The value 1 is the expire value and it represents one second after the begin of the Unix time epoch. So it’s always already expired.
You cannot force the browser to delete the file associated with any cookie, because you can't guarantee there's actually such a file - the contract between browser and web server regarding cookies is that the data will be presented at eligible requests.
You state that you "don't want to wait for the cookie to expire", but cookie expiration is the correct method for indicating that the data is no longer needed and should not be presented on future requests, which in most cases does translate to the browser removing the file.
To delete a cookie, therefore, set its expiration time into the past. In PHP, this is done with setcookie().
Yes. Use setcookie() and set the expiration date for the cookie you wish to delete to a time in the past. The user's browser should automatically remove it as a result.
'Seems that deleting a cookie is more difficult than it looks.
setcookie($name, '', 1);
Won't do the trick. The '' is empty and setcookie can ignore the whole instruction.
Also setting the time to the past sometimes allows the cookie to retain the value whose expire time is newer than 1.
I am dealing with this right now. I don't know where it comes from, but it's there.
I've resorted to
setcookie($name, '0', 9000000000);
This ensures the cookie is set to a value that resolves to false and that it is newer than any previous value.
If anyone has any insight into this behavior please tell.
I suspect the difficulty lies in the fact that the domain and path values for setcookie are guaranteed to be the same from execution to execution when the values are not specified.
And I am aware such a cookie will not expire until 2038 or so.
Alternately, if the newest expiration date of the cookie is known, it need be set only 1 second after.
I think that you have to use combined approach:
set expiration way back in the past (as suggested by Chacha102)
use JavaScriptto delete entries from document.cookie DOM object (as suggested by andres descalzo)
There are 2 good reasons for going with mixed approach:
JavaScript can be disabled in the browser
not all cookies are visible in document.cookie Some modern browsers are supporting httponly flag for cookies. PHP has support for httponly cookies, see http://www.php.net/setcookie
I wrote this plugin for me and works correctly.
(function($) {
$.cookieAllDelete = function(doc)
{
var cookie_date = new Date();
var cookies = null;
cookies = doc.cookie.split(';');
cookie_date.setTime(cookie_date.getTime() - 1);
for(var i=0; i < cookies.length; i++)
{
var cookie_name = cookies[i].split('=')[0];
try {
if (cookie_name.length > 0)
doc.cookie = cookie_name += "=; expires=" + cookie_date.toGMTString();
} catch(ex) {}
}
}
})(jQuery);
jQuery.cookieAllDelete(document);