So, I want to preserve a specific session variable after the user logs out. Like this:
// Save the session variable
$foo = $_SESSION["foo"];
// Terminate the session
//----------------------------------------------
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), "", time() - 3600,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_destroy();
session_regenerate_id();
//----------------------------------------------
// Restart the session
session_start();
// Store the variable in the session
$_SESSION["foo"] = $foo;
// Redirect the user to the same page, this time unauthenticated
header("Location: " . $_SERVER["REQUEST_URI"]);
But it doesn't seem to be properly stored, because after the redirect, $_SESSION["foo"] is null.
Can anyone help me with this? Am I doing something 'illegal' here?
NOTE:
If I do var_dump($_SESSION["foo"]) right before the redirection, it does return the variable.
I always call session_start() before I retrieve $_SESSION["foo"], of course.
Also, and I don't know if this has something to do, but $foo is an object, so I'm doing $foo = unserialize($_SESSION["foo"]) and $_SESSION["foo"] = serialize($foo);.
Depending on the PHP version you use maybe this could explain the problem https://bugs.php.net/bug.php?id=38042.
Session destroy followed by session start appears to no longer start a new session. The attached code works on 5.1.2 but fails on 5.1.4.
Maybe other versions may be affected as well.
This post also describes the behavior you are encountering:
preserving a session variable after session_destroy()
A possible workaround for you may be to pass the $foo variable to your next script as a $_GET argument in the location header like this:
header("Location: " . $_SERVER["REQUEST_URI"] . "?foo=" . $foo);
Related
!!!! I know this has been asked a zillion times but I tried everything, it just does not work so dont discard the question please
when logging from one user to the other, sessions are not discared at all and former user data are displayed
I have to CTRL+F5 the navigator to have the correct new logged user data
I tried :
problematically I replace everything in the session variable with fresh new data from the new logged user (from DB), but some fields are still remains of the previous user...this makes no sens at all
$_SESSION = array();
unset($_SESSION["end_user_session"]);
$session=$endUser; // from DB !!!!
$session["sessionID"]=session_id();
$_SESSION["end_user_session"] = $session;
on logout , I do this and it should destroy the session values, yet they are still there:
$_SESSION = array();
session_unset();
session_destroy();
session_write_close();
setcookie(session_name(),'',0,'/');
$_SESSION = array();
this has driven me nuts for more than 2 years now
we have the issue in wamp, and on our linux preprod/prod
please help, let me know if you need more infos
You have probably tried this (it's in the PHP manual), but just in case:
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
?>
I now stores everything in db, not using php sessions anymore
problem solved
I have 2 different session id's on 5 different php pages in the same directory on the same host.
I call session_start(); right after the php-tag on top of every page
I converted all the pages to utf-8 without DOM
I set all file permissions to 644
I tried clearing my browser cache
I tried clearing the sessions using the script below
session_start();
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_unset();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
To no avail.
How do I fix this bug?
If you use unset($_SESSION); that should remove all current sessions I believe.
Then, to set a global session you just do
$_SESSION['user_id'] = "0001"
And then call it by using $_SESSION['user_id'].
Make sure, like you do in the demo above, that you have session_start(); at the top of pages you want to call session variables on.
That might not be the most up to date way, but that's how I've been doing it - just with the unset being assigned to each part of the session array instead of the whole thing.
I'm aware there is an identical question here, but the accepted answer says it is a bug with a patch, yet the link says otherwise. The link says it is intended behaviour and not a bug.
The other answers in the question are exactly what I tried to do.
$variableToPreserve = $_SESSION['foo'];
session_destroy();
session_start();
// At this point in the debugger, all previous session variables are still
// in the session anyway, making me think the session has not been destroyed yet.
$_SESSION['foo'] = $variableToPreserve;
Next request:
session_start();
// This line errors as 'foo' is not in the session.
$var = $_SESSION['foo'];
My only guess is that the session does not actually get destroyed until after that request has completed. The only way I can get it to preserve is by keeping all the session variables but really I need to destroy the session and only have 'foo' set.
Session are handeled via cookies - so (I guess) this should be the expected behaviour.
You could unset all values in the session variable manually:
foreach ($_SESSION as $k => $v) {
unset($_SESSION[$k]);
}
instead for calling:
session_destroy();
session_start();
This would effectivly clear the session for you.
I checked out the code for you, and this is the behavior that I see.
session_start();
$_SESSION['foo'] = 1;
$variableToPreserve = $_SESSION['foo'];
session_destroy();
session_start();
// At this point, the session variable is indeed destroyed, as is evident from the error that the next line throws.
echo $_SESSION['foo'];
$_SESSION['foo'] = $variableToPreserve;
echo $_SESSION['foo'];
// The above line echoes 1
Your code for session destroy is not like the one that provided by PHP Manual, for example:
http://php.net/manual/en/function.session-destroy.php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
YOU CAN TEST A DEMO: http://phpfiddle.org/lite/code/2vi-r9a
I am having an issue with the session variables.
I am having a simple signup php page that uses ajax calls to verify username and email address if they already exist. It also has an ajax image uploader that gives a preview of the selected image.
Now this is how I am setting the session variable :-
session_start();
session_unset();
$_SESSION = array();
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_destroy();
session_start();
$_SESSION['avurl'] = $filename;
$filename is valid as it is echoed in the above code just after this snippet.
In the page where I need to use this session variable I have this :-
session_start();
$av_url = $_SESSION['avurl'];
Now the weird thing is that whenever this runs the first time the session variable doesn't have any value. But the second time it works.
How I came to check this is that I created a test.php which just echos $_SESSION['avurl'] and the first time it never shows anything but the second time it does.
What I figured out from this is that once it echoes this session variable it starts working to store the value.
And all that code that I am using to set that variable is edited from just :-
session_start();
$_SESSION['avurl'] = $filename;
to that as this also didn't work and I thought that this could be a problem with already existing sessions.
Thankyou
Hope this is enough information for solving my problem !!
session_start();
session_unset();
This code delete Your session... Why You doing this?
I am at a total loss for words.
I allow an admin to reset their registration if reaching an error during the process. In theory, the following code should function like this:
page is reached, $adminvalidated is set based on session data. The $_SESSION array is cleared; the cookie is cleared on the consumer end; the session id is regnerated and the session is destroyed. Then the session is restarted and the previously mentioned variable is put back into Session.
the "echo" statements included below work but when I redirect to another page (commented out below), the session variables DO NOT carry over.
Yes I have started the session on the follow up page as well.
<?php
session_start();
ob_start();
if( $_SERVER['SERVER_PORT'] == 80) {
header('Location:https://'.$_SERVER['HTTP_HOST'].$_SERVER["REQUEST_URI"]);
die();
}
$adminvalidated = $_SESSION['ADMINVALIDATED'];
$_SESSION = array();
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_regenerate_id(true);
session_destroy();
session_start();
$_SESSION['ADMINVALIDATED'] = $adminvalidated;
echo $_SESSION['ADMINVALIDATED'];
/*
header("Location: ../a.php");
exit;*/
?>
In general it suffices to call session_regenerate_id(true) to change the session ID of the current session and invalidate the association with the previous session ID.
If you additionally want to clear any session data except $_SESSION['ADMINVALIDATED'], just do this:
session_regenerate_id(true);
$_SESSION = array(
'ADMINVALIDATED' => $_SESSION['ADMINVALIDATED']
);
From the manual page of session_start:
As of PHP 4.3.3, calling session_start() after the session was previously started will result in an error of level E_NOTICE. Also, the second session start will simply be ignored.
Just clear your session with session_unset, regenerate the session id and then reset your admin var. No need to destroy then restart the session.
I'm really not sure why you're going through all of these steps. session_regenerate_id() is enough on it's own to regenerate the session token and the associated cookie. The function creates a new session token and creates a new session cookie for you while preserving the values you have in the current session. Since setting a new cookie with the same name overwrites an old one isn't simply calling session_regenerate_id() enough?
Feel free to clarify things if I've missed something.