I am trying to delete a session cookie. These are the steps I am following
// Find the session - I believe this is doing a resume rather than starting a fresh session thus identifying the session.
session_start();
// Unset all the session variables enmasse by assigning an empty array
$_SESSION = array();
// find the session name that has been allocated then destroy the session cookie
if(isset($_COOKIE[session_name()])){
setcookie(session_name(),'', time()-42000, '/');
// set content of found session to null, with a past time, at the root
}
// Destroy the session
session_destroy();
This definitely logs me out. However the actual cookie still exists and can be viewed in the browser (firefox).
$_COOKIE[session_name()]
appears to be returning the encrypted content string as opposed to the session name.
Questions:
if $_COOKIE[session_name()] is not the correct way to get the session name what is?
Should I be setting a session_name instead of allowing it to default?
Am I seeing the session because it is waiting for some kind of garbage collection?
You may want to take a look at this page:
http://php.net/manual/en/function.session-destroy.php
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
Based on that, you might want to be using session_id() as opposed to session_name()
Related
session_destroy() destroys session data but does not unset any of the global variables associated with session or unset the session cookie.
So why should we destroy session?
Can we destroy a session at the end of page each time the session starts in the beginning of that page giving the same functionality without destroying as well?
session_destroy() will delete the session file (if file storage is used). Otherwise the session file will reside on the server until the garbage collection deletes it. So, if you want to make sure that the stored session data is removed from the server you have to call session_destroy().
Do not call this on every page! Only after the user logs out and you do not need the stored information anymore.
Your correct approach should be to run session_destroy, and then reload the page to force the session changing actions (such as cookie deletion) to work and then the session data in PHP reloads and renews upon page reload.
Before running session destroy you should also "manually" clean the session as well so:
<?php
session_start();
if(count)$_SESSION > 0) {
// Or some other more specific cursory check if the session is populated
$_SESSION = array("","","","");
session_destroy();
header("Location: thispage.php");
exit;
}
...
Page continues....
Also please reference this answer as to how to remove session cookies on the client browser.
hey guys gt into a small problem...I am developing a quiz application ,I need to have a different session for every quiz that is being played...
session_name("random name")
session_start();
this helps me to do the work,but I have got another session being started at login page
I need to destroy the random name session once the quiz is complete
P S:both are two different session
Check the manual on that one: http://php.net/manual/en/function.session-destroy.php
Session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
I believe, that you cannot have two sessions active at the same time. If you need to store your quiz values in the session, then you'll need to prefix their indexes so they are handy and easily destroyed. You could have something like:
$_SESSION['Quiz']['Question1'] = "Yes";
$_SESSION['Quiz']['Question2'] = "No";
then when your finished with the Quiz with
unset($_SESSION['Quiz']);
While browsing through various user logout functions in PHP, I always come across session_destory() to remote session variables for a particular use, but they dont use setCookie() to remove the user's PHP SESSIONID
The PHP Documentation clearly states:
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
I tried tracking the cookie in Firefox, and using session_destroy(), continues to keep the cookie of PHP SESSIONID, the next time the user logs in, the same SESSIONID id used.
Isn't it always safe to remote the session id Cookie from the user's machine after he has logged out and also what would happen if I fail to delete the SessionID Cookie?
Simply do this:
$_SESSION = array();
That way the session is empty.
No need (nor added security) by destroying it like you try.
This should work:
session_regenerate_id ( true );
Description of function:
session_regenerate_id — Update the current session id with a newly generated one.
It's only parameter, which is false by default: delete_old_session - Whether to delete the old associated session file or not.
I am currently experiencing problems with the PHP function session_id.
At the beginning of my scripts, I want to check whether the user has a session and I do not want to call session_start() as that would generate a session cookie.
Whenever I call session_id, it returns '' , even if a session is definetely set.
I verified that a session is set by checking for the session cookie via the $_COOKIE array.
session_start() will not generate a new session. From the PHP docs:
session_start() creates a session or resumes the current one based
on a session identifier passed via a GET or POST request, or passed
via a cookie.
You have to resume the old session before you can get its ID.
Without calling session_start() the session does not exist for PHP. After session_start() you can easily check whether the user has got a session with checking for a key in the $_SESSION super-global array.
If you want to check if they have a session and get the session id without creating a new one if they don't your best bet is to look in the $_COOKIE array for the session id (or $_GET if you use that for storing the id instead).
session_id() will only work if you call session_start(). If the session does already exist it will not generate a new session id so it will still give you the session id you are looking for.
It's possible I'm not properly deleting PHP sessions when the user signs out. I've noticed that if I sign out and sign back in without closing the browser, the session ID doesn't change but if I sign out, close the browser window, open a new one and sign in, the session ID will be different. Do I need to be doing something different or is this normal behavior? I've been using the same process for three years but something happened recently that made me think that maybe I need to do something different.
Here's what I basically do when someone clicks Sign Out.
<?php
session_start();
if( isSet($_SESSION['FacID']) )
$facID = $_SESSION['FacID']; //Want to re-instate this after we destroy the session.
unset($_SESSION);
session_destroy();
if( isSet($_SESSION['FacID']) )
$_SESSION['FacID'] = $facID;
?>
If you feel the need to force a new id
http://pl.php.net/manual/en/function.session-regenerate-id.php
And to your question, from the manual:
session_destroy() destroys all of the
data associated with the current
session. It does not unset any of the
global variables associated with the
session, or unset the session cookie.
To use the session variables again,
session_start() has to be called.
In order to kill the session
altogether, like to log the user out,
the session id must also be unset. If
a cookie is used to propagate the
session id (default behavior), then
the session cookie must be deleted.
setcookie() may be used for that.
Your session is getting destroyed.
PHP will only generate a session id if the browser isn't specifying one. As long as the session has been destoryed, there is no problems with this.
What's with the massive save-and-destroy? Just session_start and set your variables. No need to destroy, then reset them!
Your "problem" with the browser is that when you close your browser window, your browser is deleting the cookie which PHP sends it so it knows the session ID. This is a browser option and cannot be changed on the server side (unless you exploit). It can be circumvented using some methods, but that's probably not your best option.