I have two users in mysql database, when one user is logged in, it gets a session id. But when 1st user logs out & 2nd user logs in it gets the same session id as of the 1st user. I want that even if the browser is not closed, but there are multiple login & logouts from the same browser, the session id should change for every user who logs in.
i use the following code :
session_unset();
session_destroy();
Then you need to explicitly destroy the session or regenerate the id.
I'm guessing you're currently just leaving it hanging there.
use session_destroy() on your log-out button.
Call session_destroy() in your logout script.
You can also call it in the login script, if a new user logs in without the old user logging out.
From the documentation:
session_destroy() destroys all of the data associated with the current
session. It does not unset any of the global variables associated with
the session, or unset the session cookie. To use the session variables
again, session_start() has to be called.
In order to kill the session altogether, like to log the user out, the
session id must also be unset. If a cookie is used to propagate the
session id (default behavior), then the session cookie must be
deleted. setcookie() may be used for that.
Related
hey guys gt into a small problem...I am developing a quiz application ,I need to have a different session for every quiz that is being played...
session_name("random name")
session_start();
this helps me to do the work,but I have got another session being started at login page
I need to destroy the random name session once the quiz is complete
P S:both are two different session
Check the manual on that one: http://php.net/manual/en/function.session-destroy.php
Session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
I believe, that you cannot have two sessions active at the same time. If you need to store your quiz values in the session, then you'll need to prefix their indexes so they are handy and easily destroyed. You could have something like:
$_SESSION['Quiz']['Question1'] = "Yes";
$_SESSION['Quiz']['Question2'] = "No";
then when your finished with the Quiz with
unset($_SESSION['Quiz']);
While browsing through various user logout functions in PHP, I always come across session_destory() to remote session variables for a particular use, but they dont use setCookie() to remove the user's PHP SESSIONID
The PHP Documentation clearly states:
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
I tried tracking the cookie in Firefox, and using session_destroy(), continues to keep the cookie of PHP SESSIONID, the next time the user logs in, the same SESSIONID id used.
Isn't it always safe to remote the session id Cookie from the user's machine after he has logged out and also what would happen if I fail to delete the SessionID Cookie?
Simply do this:
$_SESSION = array();
That way the session is empty.
No need (nor added security) by destroying it like you try.
This should work:
session_regenerate_id ( true );
Description of function:
session_regenerate_id — Update the current session id with a newly generated one.
It's only parameter, which is false by default: delete_old_session - Whether to delete the old associated session file or not.
When I try to log out the session is destroyed but I still can go inside that page and view details without logging in first by using the Mozilla browser back button or history cache.
code for logout is
<php
session_start();
session_unset($_SESSION['user']);
//redirect to login page
header('location:login.php');
session_write_close();
?>
members page.
<php
if(!isset($_SESSION['user'])||(trim($_SESSION['user']==''))){
require('error.php');
}
else{
require('view.php');
//the function queries the db.
member_detail($user,$password);
}
In this code if I use the link to the page, it goes to the error page but if I log in, member details is displayed since the session is active so problem is after logout.
first make sure your session is destroyed using session_destroy function or unset the whole session array.
and in print the session array in test page after logout. this will give you which session variables are there. use isset method to check whether or not session variables exist.
Sometimes session_unset and session_destroy does not clear the session data.
Reference: http://www.dmxzone.com/forum/topic/14240/
I have similar experience. Perhaps it is because of not using the methods properly.
Quickfix:
if you want to unset a particular session variable:
$_SESSION["variable"]="";
That will 'unset it'
To unset the whole SESSION
$_SESSION=array();
I seriously do NOT know how valid these are as recommended programming practices, however, they work for me.
FROM the manuals
If a globalized variable is unset()
inside of a function, only the local
variable is destroyed. The variable in
the calling environment will retain
the same value as before unset() was
called.
and
session_destroy() destroys all of the
data associated with the current
session. It does not unset any of the
global variables associated with the
session, or unset the session cookie.
To use the session variables again,
session_start() has to be called.
In order to kill the session
altogether, like to log the user out,
the session id must also be unset. If
a cookie is used to propagate the
session id (default behavior), then
the session cookie must be deleted.
setcookie() may be used for that.
Perhaps other users can add more to this answer. Plus the manuals at php.net have very informative comments with sample code.
For a web application, I decided to store the sessions variables into a database. Everything is working like I want except for the logout, in which I thought that with a simple session_destroy() will do the job but is not.
As I mention all the session information is stored in the database, but I notice that when calling session_destroy(); it does delete the session from the database but is not deleted from the server. I notice that if I do not close the browser, every time I loggin I get the same session id, therefore if I loggin with different username, I still get the same session id. How can I delete server session?
This is a function within a class that I use to destroy the session:
function destroy( $id ) {
// Build query
$newid = mysql_real_escape_string($id);
$sql = "DELETE FROM sessions_table WHERE session_id = '{$newid}'";
mysql_query($sql);
return TRUE;
}
Any advice please?
php-manual:
"session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that."
It's possible I'm not properly deleting PHP sessions when the user signs out. I've noticed that if I sign out and sign back in without closing the browser, the session ID doesn't change but if I sign out, close the browser window, open a new one and sign in, the session ID will be different. Do I need to be doing something different or is this normal behavior? I've been using the same process for three years but something happened recently that made me think that maybe I need to do something different.
Here's what I basically do when someone clicks Sign Out.
<?php
session_start();
if( isSet($_SESSION['FacID']) )
$facID = $_SESSION['FacID']; //Want to re-instate this after we destroy the session.
unset($_SESSION);
session_destroy();
if( isSet($_SESSION['FacID']) )
$_SESSION['FacID'] = $facID;
?>
If you feel the need to force a new id
http://pl.php.net/manual/en/function.session-regenerate-id.php
And to your question, from the manual:
session_destroy() destroys all of the
data associated with the current
session. It does not unset any of the
global variables associated with the
session, or unset the session cookie.
To use the session variables again,
session_start() has to be called.
In order to kill the session
altogether, like to log the user out,
the session id must also be unset. If
a cookie is used to propagate the
session id (default behavior), then
the session cookie must be deleted.
setcookie() may be used for that.
Your session is getting destroyed.
PHP will only generate a session id if the browser isn't specifying one. As long as the session has been destoryed, there is no problems with this.
What's with the massive save-and-destroy? Just session_start and set your variables. No need to destroy, then reset them!
Your "problem" with the browser is that when you close your browser window, your browser is deleting the cookie which PHP sends it so it knows the session ID. This is a browser option and cannot be changed on the server side (unless you exploit). It can be circumvented using some methods, but that's probably not your best option.