While browsing through various user logout functions in PHP, I always come across session_destory() to remote session variables for a particular use, but they dont use setCookie() to remove the user's PHP SESSIONID
The PHP Documentation clearly states:
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
I tried tracking the cookie in Firefox, and using session_destroy(), continues to keep the cookie of PHP SESSIONID, the next time the user logs in, the same SESSIONID id used.
Isn't it always safe to remote the session id Cookie from the user's machine after he has logged out and also what would happen if I fail to delete the SessionID Cookie?
Simply do this:
$_SESSION = array();
That way the session is empty.
No need (nor added security) by destroying it like you try.
This should work:
session_regenerate_id ( true );
Description of function:
session_regenerate_id — Update the current session id with a newly generated one.
It's only parameter, which is false by default: delete_old_session - Whether to delete the old associated session file or not.
Related
I have two users in mysql database, when one user is logged in, it gets a session id. But when 1st user logs out & 2nd user logs in it gets the same session id as of the 1st user. I want that even if the browser is not closed, but there are multiple login & logouts from the same browser, the session id should change for every user who logs in.
i use the following code :
session_unset();
session_destroy();
Then you need to explicitly destroy the session or regenerate the id.
I'm guessing you're currently just leaving it hanging there.
use session_destroy() on your log-out button.
Call session_destroy() in your logout script.
You can also call it in the login script, if a new user logs in without the old user logging out.
From the documentation:
session_destroy() destroys all of the data associated with the current
session. It does not unset any of the global variables associated with
the session, or unset the session cookie. To use the session variables
again, session_start() has to be called.
In order to kill the session altogether, like to log the user out, the
session id must also be unset. If a cookie is used to propagate the
session id (default behavior), then the session cookie must be
deleted. setcookie() may be used for that.
Cookies allow your applications to store a small amount of textual data (typically,
4-6kB) on a Web client. There are a number of possible uses for cookies, although
their most common one is maintaining session state.Cookies are typically set by the server using a response header, and subsequently made available by the client as a request header.
this is from zce study guide.
My questions are
1. how a session state is maintained by cookie?
2. what happens to these cookies when we use session_destroy()?
Put simply, the session cookie ties a remote session to your browser as you navigate a given site. It contains a string usually along the lines of PHPSESSID=3432DFGDFG43523 which the remote server identifies as a session that it is managing.
From the PHP website:
A visitor accessing your web site is assigned a unique id, the
so-called session id. This is either stored in a cookie on the user
side or is propagated in the URL.
The session support allows you to store data between requests in the
$_SESSION superglobal array. When a visitor accesses your site, PHP
will check automatically (if session.auto_start is set to 1) or on
your request (explicitly through session_start() or implicitly through
session_register()) whether a specific session id has been sent with
the request. If this is the case, the prior saved environment is
recreated.
http://www.php.net/manual/en/intro.session.php
When session_destroy() is called, it doesn't quite behave as you'd expect. The session is destroyed remotely but the local cookie isn't removed. To do this you'd need to call setcookie(<session cookie name>) with a negative date to destroy it on the client side. Again, from the PHP website:
session_destroy() destroys all of the data associated with the current
session. It does not unset any of the global variables associated with
the session, or unset the session cookie. To use the session variables
again, session_start() has to be called.
In order to kill the session altogether, like to log the user out, the
session id must also be unset. If a cookie is used to propagate the
session id (default behavior), then the session cookie must be
deleted. setcookie() may be used for that.
http://www.php.net/manual/en/function.session-destroy.php
Very short:
A session id is created which is sent over to the client on each request, this is stored in a cookie usually called PHPSESSID. The client responds with this session id to tell the server which session it belongs to.
session_destroy only unsets the data, not the identity. So cookies are not touched using that method.
I am trying to delete a session cookie. These are the steps I am following
// Find the session - I believe this is doing a resume rather than starting a fresh session thus identifying the session.
session_start();
// Unset all the session variables enmasse by assigning an empty array
$_SESSION = array();
// find the session name that has been allocated then destroy the session cookie
if(isset($_COOKIE[session_name()])){
setcookie(session_name(),'', time()-42000, '/');
// set content of found session to null, with a past time, at the root
}
// Destroy the session
session_destroy();
This definitely logs me out. However the actual cookie still exists and can be viewed in the browser (firefox).
$_COOKIE[session_name()]
appears to be returning the encrypted content string as opposed to the session name.
Questions:
if $_COOKIE[session_name()] is not the correct way to get the session name what is?
Should I be setting a session_name instead of allowing it to default?
Am I seeing the session because it is waiting for some kind of garbage collection?
You may want to take a look at this page:
http://php.net/manual/en/function.session-destroy.php
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
Based on that, you might want to be using session_id() as opposed to session_name()
ok im a newbie on sessions lets imagine that we have a little login site,
heres a logic
login
if password right = use $_SESSION[isaloginuser] = 1
check session to see menus with if $_SESSION[isaloginuser] = 1
show the menus
the user want to logoff
unset session
destroy session system
what it use
session_register
session_destroy
session_unset
session_start
where does the session_id & the session_regenerate or session_name goes in ?
at php site it says
session_id() is used to get or set the
session id for the current session.
i still just dont get it, why do we need them anyway ? in real environment what does it do ?
No, you don’t need to use them. In general all you need is
session_start to start the session handling, and
session_destroy to destroy the stored session data (this does not modify $_SESSION), and
session_unset to reset the $_SESSION variable (but you can also do $_SESSION = array()).
session_id and session_name are to get and set the current session ID and session ID name (default is PHPSESSID). session_regenerate_id can be used to regenerate/change the session ID of the current session. This might be useful if, for example, you want to refresh the session ID every 10 minutes or after changing the state of authenticity of a user associated with a session.
session_regenerate_id() is used in order to prevent session fixation.
Session fixation means the following: You visit a website and examine your session ID. Then you manipulate another user into visiting the site using your session ID, and signing in. Now you're signed in as that user and have his privileges, because you're both using the same session.
To prevent this, give the user a new session ID using session_regenerate_id() when he successfully signs in. Now only he has the session ID, and your old session ID is no longer valid.
session_register() is depreciated in 5.3, I would suggest against using. Instead just use
$_SESSION['varname'] = "value";
session_id it just used if you want to get the session id for storing in a database, this is not "necessary" for use. session_name, just sets a name, this is not necessary. The regenerate is if you want to do a new id, this is also not necessary unless your application needs it, for a login session, I highly doubt you will use it.
The others, I hope you understand what they do (ie the unset / destroy). But hope that gives some insight.
Session IDs are the identifier for the session. The way a server stores data about a client is in a cookie. This cookie is sent with each HTTP request to the server by that client. PHP sets a cookie to be a random string token. This token identifies the client and relates it to a set of key-value pairs. The idea of a session variable is that cookies can be easily tampered with. Session IDs, however, being random strings, are hard to duplicate and thus add security.
I usually use session_id() when creating shopping baskets so I can track what that user has added then once I have got a response back from the payment gateway that the payment was successful, I then session_regenerate() so that when they are back on to my website their previous baskets are not visible and to me its like a new user has "entered" the shop.
It's possible I'm not properly deleting PHP sessions when the user signs out. I've noticed that if I sign out and sign back in without closing the browser, the session ID doesn't change but if I sign out, close the browser window, open a new one and sign in, the session ID will be different. Do I need to be doing something different or is this normal behavior? I've been using the same process for three years but something happened recently that made me think that maybe I need to do something different.
Here's what I basically do when someone clicks Sign Out.
<?php
session_start();
if( isSet($_SESSION['FacID']) )
$facID = $_SESSION['FacID']; //Want to re-instate this after we destroy the session.
unset($_SESSION);
session_destroy();
if( isSet($_SESSION['FacID']) )
$_SESSION['FacID'] = $facID;
?>
If you feel the need to force a new id
http://pl.php.net/manual/en/function.session-regenerate-id.php
And to your question, from the manual:
session_destroy() destroys all of the
data associated with the current
session. It does not unset any of the
global variables associated with the
session, or unset the session cookie.
To use the session variables again,
session_start() has to be called.
In order to kill the session
altogether, like to log the user out,
the session id must also be unset. If
a cookie is used to propagate the
session id (default behavior), then
the session cookie must be deleted.
setcookie() may be used for that.
Your session is getting destroyed.
PHP will only generate a session id if the browser isn't specifying one. As long as the session has been destoryed, there is no problems with this.
What's with the massive save-and-destroy? Just session_start and set your variables. No need to destroy, then reset them!
Your "problem" with the browser is that when you close your browser window, your browser is deleting the cookie which PHP sends it so it knows the session ID. This is a browser option and cannot be changed on the server side (unless you exploit). It can be circumvented using some methods, but that's probably not your best option.