I'm trying to logout of my page but session_destroy and setting cookies does not work. Here's my code:
$page = $_GET["page"];
if ($page == "logout") {
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_destroy();
echo <<<html
<br /><br /><br /><p align="center"><b><font color="#000080">You've successfully logged out.</font></b></p>
<p align="right"><b><font size="3" color="#FF0000">Redirecting...</font></b></td>
html;
echo ("<META HTTP-EQUIV=Refresh CONTENT=\"4; URL=index.php\">");
exit ();
But its not working - the session is not destroyed and cookies remain the same. I've also tried just setting a cookie to a different value with no success. Other parts of the code create cookies, access and use them, but in the logout part I cant destroy them. Can someone tell me what's wrong here? Should cookies and sessions be set/unset/destroyed at the beginning of the page like session_start? Or is something else wrong?
setcookie() must be called before your scripts generates any output, as is affects the headers which are sent to the client before the actual response.
The code snippet you posted looks like you echo some stuff before the posted code is called (the output string does not contain an opening html tag). So make sure that your code is placed before any output is echoed, but after session_start() is called, then it should work.
You have to call session_start() before session_destroy() will work as session_destroy operates on the current session, which does not exist if you have not called session start.
Does the page have a session_start() before session_destroy()? It needs to be.
if we don't call
session_start()
at the beginning of the page, we cannot have session variables to operate on that page.
Related
So, I have the following logout script (as taken from php.net):
<?php
session_start();
$_SESSION = array();
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_destroy();
header(...); //See Below
?>
The website has a header that echos either a login form (when not logged in) or "Welcome, User" (when logged in).
I have tried:
header("location:http://example.com");
in my logout script but the website header echos "Welcome, User" still until the page is refreshed. It is seemingly loading from cache(?).
One way I have gotten around this is changing the line to:
header("location:http://example.com?a=".uniqid());
As much as this works, it looks ugly in the address bar.
Is there a way to achieve the redirect without loading from cache or changing the address bar to remove the GET variable?
EDIT: OK, so this is strange... When I have the Chrome Dev Tools open to check the header response, it works fine. As soon as I close the Dev Tools, the problem comes back. Really need some help with this people!
Took me a while to tackle this problem to it's exact cause, but here's what seems to be happening:
I have a session. I want to completely kill my current session and start from scratch, with a brand new session, that has a blank slate.
So this is what I do:
public function unregister_session()
{
// I COMMENTED THOSE SECTIONS THAT I WASNT SURE WHAT THEY WERE DOING, BUT PROBLEM PERSISTS.
//session_regenerate_id();
//$params = session_get_cookie_params();
// setcookie(session_name(), '', time() - 42000,
// $params["path"], $params["domain"],
// $params["secure"], $params["httponly"]);
unset($_SESSION);
$_SESSION=array();
echo '<br> destroying session. old SID:'.session_id(); //echos 'qqhu7on0n...'
session_unset();
session_destroy();
echo '<br> limbo SID:'.session_id(); //echos nothing.
session_start();
echo '<br> new SID:'.session_id(); //echos 'qqhu7on0n...'
}
Alright so what i think should happen is that I have a new session. And well it kind of works, because everything about the previous session seems to be forgotten, at least if I look at $_SESSION.
BUT whenever I echo the session_id it still gives me the old session ID! When I write any values into $_SESSION they are not carried over to the next page, instead on the next page $_SESSION is empty!
EDIT: i echo the session_id() on multiple places on my script (going from top to bottom) i get always the same session_id displayed. going into google developer tools looking at my cookies, i see a different id for PHPSESSID. i see the exact id which i will see when i'm trying to echo session_id() on the next page...
Why is this happening and what am I doing wrong?
How can I get session_id() to show me the NEW session id, not the old one?
How can I write values into the NEW $_SESSION variable, so that they are actually carried over to the next page?
EDIT - THE SOLUTION
public function unregister_session()
{
// DUNNO IF THE COMMENTED SECTIONS MAKE A DIFFERENCE
//$params = session_get_cookie_params();
// setcookie(session_name(), '', time() - 42000,
// $params["path"], $params["domain"],
// $params["secure"], $params["httponly"]);
unset($_SESSION);
$_SESSION=array();
echo '<br> destroying session. old SID:'.session_id(); //echos 'qqhu7on0n...'
session_unset();
session_destroy();
echo '<br> limbo SID:'.session_id(); //echos nothing.
session_start();
session_regenerate_id(TRUE); //THIS DOES THE TRICK! Calling it after session_start. Dunno if true makes a difference.
echo '<br> new SID:'.session_id(); //echos '7b2jn...' :-)
}
Checkout, http://php.net/manual/en/function.session-regenerate-id.php
session_regenerate_id()
Make sure you are calling session_start on whatever page is calling that function. I would also un-comment the code for destroying the cookie. That can possibly prevent weird problems with cached data.
I am having an issue with the session variables.
I am having a simple signup php page that uses ajax calls to verify username and email address if they already exist. It also has an ajax image uploader that gives a preview of the selected image.
Now this is how I am setting the session variable :-
session_start();
session_unset();
$_SESSION = array();
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_destroy();
session_start();
$_SESSION['avurl'] = $filename;
$filename is valid as it is echoed in the above code just after this snippet.
In the page where I need to use this session variable I have this :-
session_start();
$av_url = $_SESSION['avurl'];
Now the weird thing is that whenever this runs the first time the session variable doesn't have any value. But the second time it works.
How I came to check this is that I created a test.php which just echos $_SESSION['avurl'] and the first time it never shows anything but the second time it does.
What I figured out from this is that once it echoes this session variable it starts working to store the value.
And all that code that I am using to set that variable is edited from just :-
session_start();
$_SESSION['avurl'] = $filename;
to that as this also didn't work and I thought that this could be a problem with already existing sessions.
Thankyou
Hope this is enough information for solving my problem !!
session_start();
session_unset();
This code delete Your session... Why You doing this?
So, I want to preserve a specific session variable after the user logs out. Like this:
// Save the session variable
$foo = $_SESSION["foo"];
// Terminate the session
//----------------------------------------------
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), "", time() - 3600,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_destroy();
session_regenerate_id();
//----------------------------------------------
// Restart the session
session_start();
// Store the variable in the session
$_SESSION["foo"] = $foo;
// Redirect the user to the same page, this time unauthenticated
header("Location: " . $_SERVER["REQUEST_URI"]);
But it doesn't seem to be properly stored, because after the redirect, $_SESSION["foo"] is null.
Can anyone help me with this? Am I doing something 'illegal' here?
NOTE:
If I do var_dump($_SESSION["foo"]) right before the redirection, it does return the variable.
I always call session_start() before I retrieve $_SESSION["foo"], of course.
Also, and I don't know if this has something to do, but $foo is an object, so I'm doing $foo = unserialize($_SESSION["foo"]) and $_SESSION["foo"] = serialize($foo);.
Depending on the PHP version you use maybe this could explain the problem https://bugs.php.net/bug.php?id=38042.
Session destroy followed by session start appears to no longer start a new session. The attached code works on 5.1.2 but fails on 5.1.4.
Maybe other versions may be affected as well.
This post also describes the behavior you are encountering:
preserving a session variable after session_destroy()
A possible workaround for you may be to pass the $foo variable to your next script as a $_GET argument in the location header like this:
header("Location: " . $_SERVER["REQUEST_URI"] . "?foo=" . $foo);
i have this file
secure.php
session_start();
if(empty($_SESSION['u_name'])) {
header("Location:emprego.php");
}
if(isset($_GET['logout'])) {
session_destroy();
header("Location:emprego.php");
}
$name = $_SESSION['u_name'];
?>
<li><?php echo "<a href='emprego.php?logout' id='D'>Logout</a>";?></li>
basically, if i do logout, i will be redirected to emprego.php. But if i click in back page button (arrow in browser), i can view the same page (secure.php).
my question is, why?
thanks
http://nl2.php.net/manual/en/function.session-destroy.php
Take a look at example 1 here. It clearly states that you have to clear $_SESSION as well.
if(isset($_GET['logout'])) {
unset($_SESSION['u_name']); //makes it non-existent (it does unset) that variable
session_destroy();
header("Location:emprego.php");
}
Your browser keeps a copy of the page in cache. When you click the back button, you are seeing the local cached copy, not the current page from the server. If your security is set up properly, you will not be able to do anything meaningful from that cached page.
It is for this reason that secure websites (bank sites, for example) tell you to log off and clear your cache (or close the browser) after you log out.
If you're using session cookies, also try expiring the session cookie explicitly, like this:
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
Also, going back in the browser only loads a cached copy of the page. If you tried interacting with the cached page to fetch a new page from the server, you shouldn't be able to proceed.
I recently found header_remove(); http://php.net/manual/en/function.header-remove.php
Caution: This function will remove all headers set by PHP, including cookies, session and the X-Powered-By headers.
Not sure whether this is the appropriate way to do it, but it's pretty effective for log out functionality.
All the other solutions didn't seem to work for me. However, this workaround did the trick. Basically, the code below keeps calling the logout until the logout finally succeeds:
if (isset($_GET["logout"])){
if (isset($_SESSION["username"])) {
unset($_SESSION["username"]);
session_destroy();
header("Location:/?logout=true");
exit;
}
header("Location:/");
exit;
}