When using session_write_close() in a shutdown function at the end of my script - PHP just dies. There is no error logged, response headers (firebug), or data (even whitespace!) returned. I have full PHP error reporting on with STRICT enabled and PHP 5.2.1.
My guess is that since session_write_close() is being called after shutdown - some fatal error is being encountered that crashes PHP before it has a chance to send the output or log anything.
This only happens on the logout page where I first:
...
//If there is no session to delete (not started)
if ( ! session_id())
{
return;
}
// Get the session name
$name = session_name();
// Delete the session cookie (if exists)
if ( ! empty($_COOKIE[$name]))
{
//Get the current cookie config
$params = session_get_cookie_params();
// Delete the cookie from globals
unset($_COOKIE[$name], $_SESSION);
//Delete the cookie on the user_agent
setcookie($name, '', time()-43200, $params['path'], $params['domain'], $params['secure']);
}
// Destroy the session
session_destroy();
...
then 2) do some more stuff 3) issue a redirect and 4) finally, after the whole page is done the register_shutdown_function(); I placed earlier runs and calls session_write_close() which saves the session to the database. The end.
Since this blank response only occurs on logout I'm guessing that I'm not restarting the session properly which is causing session_write_close() to die fatally at the end of the script.
Weird. The problem seems to be the fact that I am destroying the session before I remove the cookie.
This works:
// Delete the session cookie (if exists)
if ( ! empty($_COOKIE[$name]))
{
//Get the current cookie config
$params = session_get_cookie_params();
// Delete the cookie from globals
unset($_COOKIE[$name], $_SESSION);
//Delete the cookie on the user_agent
setcookie($name, '', time()-43200, $params['path'], $params['domain'], $params['secure']);
}
// Destroy the session -----------------------------------------
session_destroy();
while this kills the page:
// Destroy the session -----------------------------------------
session_destroy();
// Delete the session cookie (if exists)
if ( ! empty($_COOKIE[$name]))
{
//Get the current cookie config
$params = session_get_cookie_params();
// Delete the cookie from globals
unset($_COOKIE[$name], $_SESSION);
//Delete the cookie on the user_agent
setcookie($name, '', time()-43200, $params['path'], $params['domain'], $params['secure']);
}
Does anyone know why?
Related
I have heard mixed responses on this topic, so what is a sure fire way to destroy a PHP session?
session_start();
if(isset($_SESSION['foo'])) {
unset($_SESSION['foo'];
...
}
session_destroy();
In the most simple of cases, would this sufficient to truly terminate the session between the user and the server?
To destroy a session you should take the following steps:
delete the session data
invalidate the session ID
To do this, I’d use this:
session_start();
// resets the session data for the rest of the runtime
$_SESSION = array();
// sends as Set-Cookie to invalidate the session cookie
if (isset($_COOKIE[session_name()])) {
$params = session_get_cookie_params();
setcookie(session_name(), '', 1, $params['path'], $params['domain'], $params['secure'], isset($params['httponly']));
}
session_destroy();
And to be sure that the session ID is invalid, you should only allow session IDs that were being initiated by your script. So set a flag and check if it is set:
session_start();
if (!isset($_SESSION['CREATED'])) {
// invalidate old session data and ID
session_regenerate_id(true);
$_SESSION['CREATED'] = time();
}
Additionally, you can use this timestamp to swap the session ID periodically to reduce its lifetime:
if (time() - $_SESSION['CREATED'] > ini_get('session.gc_maxlifetime')) {
session_regenerate_id(true);
$_SESSION['CREATED'] = time();
}
The PHP Manual addresses this question.
You need to kill the session and also remove the session cookie (if you are using cookies).
See this page (especially the first example):
http://us2.php.net/manual/en/function.session-destroy.php
In the one site I've made where I did use PHP sessions, I never actually destroy the session.
The problem is that you pretty much have to call session_start() to check for your $_SESSION variables, at which point, lo and behold, you've created another session anyway.
Hence on my site I just made sure that every page called session_start(), and then just unset() those parts of the session state that matter when the user logs off.
$_SESSION = [];
#unset($_COOKIE[session_name()]);
session_destroy();
So, i ve been trying to regenerate session ids in my page, if someone logs in or logs out. I run this code:
public static function regenerateSession() {
$_SESSION = array();
session_regenerate_id( true );
return true;
}
in a script called by ajax. i log the session vars in every step, and indeed, the session id changes and the $_SESSION array empties. i then, on the same page i load some new variables to the $_SESSION under the new session id, echo something and then the script ends.
Upon success, the javascript getting the echo of this php script, redirects to another page, where i log the session vars as well. after session_start() on the new page, i get in my logs, that the session, has the indeed the new id after regeneration, the new variables i assigned after the regeneration, but also the session variables of the previous session with their previous values!
i checked my php.ini and my session.cookie_secure is commented out. i uncommented it, i changed it to 0, restarted apache and yet nothing new. Does anyone have any idea about what am i doing wrong?
update 1:
i tried this code as well:
public static function regenerateSession() {
$_SESSION = array();
setcookie(session_name(), '', time() - 42000);
session_regenerate_id( true );
return true;
}
but with the same effect...
update 2
i also tried:
public static function regenerateSession() {
$_SESSION = array();
session_unset();
setcookie(session_name(), '', time() - 42000);
session_regenerate_id( true );
return true;
}
but still nothing
update 3
i also tried:
public static function regenerateSession() {
setcookie(session_name(), '', time() - 42000);
session_destroy();
$_SESSION = array();
session_start();
session_regenerate_id( true );
return true;
}
nothing. the old values are still kept along side the new ones
Taking a guess, the browser sends both sessions cookies and PHP just merges both found sessions together?
The best way would be to set the old session cookie to a zero lifetime such that the client deletes the cookie and does not send it again.
Destroy the session if needed, but you need to do all three things if you want to remove the session completely
Remove cookie setcookie(session_name(), '', time() - 42000);
Destroy session session_destroy();
Empty session vars $_SESSION = array();
Start a new session session_start();
Also take a look at this answer to a similar question: https://stackoverflow.com/a/758825/1234469
What I am trying to do:
When a user hits the index.php page (the start of a couple pages of forms), I need any existing session to be destroyed and a new one to start. This is so that old session variables are not reused in the new process.
What I have done:
I believe this should check if a session already exists, if it does, destroy it and start a new one. (Need to use session_id() for the check)
if(session_id() == '') {
session_start();
}else{
session_destroy();
session_start();
}
The issue:
The previous session variables are still set and causing issues with the process.
Am I missing something in the way to reset all session varibles?
In documentation you can read:
session_destroy() destroys all of the data associated with the current
session. It does not unset any of the global variables associated with
the session, or unset the session cookie. session_destroy();
So you have to do following things:
$_SESSION = array(); //empty session variable
$cookieParams = session_get_cookie_params();
setcookie(
session_name(),
'',
0,
$cookieParams['path'],
$cookieParams['domain'],
$cookieParams['secure'],
$cookieParams['httponly']
);
session_destroy(); //and now you can call your function
HEY GUYS
deleting cookie is a easy thing to do in php but problem is untill i get out of my browser it still exists
setcookie("PHPSESSID", false);
setcookie("PHPSESSID","",time()-31536000);
any way to delete this cookie whithout need of closing the browser ?!
so what do u think ?!
Cookie headers are only sent as soon as the user laods a new page. So just unsetting the browser server side will not delete it on the client.
Also be aware of the domain. You should always use a fourth parameter to set a cookie for all paths on your site. If you don't do that, a cookie from a subfolder might still exists.
You can check with cookies are set using some JavaScript function or the Web Developer Toolbar for Firefox.
Properly destroy the session and set the session cookie var to expire in the past.
From the PHP.net manual on session destroy:
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
?>
I have heard mixed responses on this topic, so what is a sure fire way to destroy a PHP session?
session_start();
if(isset($_SESSION['foo'])) {
unset($_SESSION['foo'];
...
}
session_destroy();
In the most simple of cases, would this sufficient to truly terminate the session between the user and the server?
To destroy a session you should take the following steps:
delete the session data
invalidate the session ID
To do this, I’d use this:
session_start();
// resets the session data for the rest of the runtime
$_SESSION = array();
// sends as Set-Cookie to invalidate the session cookie
if (isset($_COOKIE[session_name()])) {
$params = session_get_cookie_params();
setcookie(session_name(), '', 1, $params['path'], $params['domain'], $params['secure'], isset($params['httponly']));
}
session_destroy();
And to be sure that the session ID is invalid, you should only allow session IDs that were being initiated by your script. So set a flag and check if it is set:
session_start();
if (!isset($_SESSION['CREATED'])) {
// invalidate old session data and ID
session_regenerate_id(true);
$_SESSION['CREATED'] = time();
}
Additionally, you can use this timestamp to swap the session ID periodically to reduce its lifetime:
if (time() - $_SESSION['CREATED'] > ini_get('session.gc_maxlifetime')) {
session_regenerate_id(true);
$_SESSION['CREATED'] = time();
}
The PHP Manual addresses this question.
You need to kill the session and also remove the session cookie (if you are using cookies).
See this page (especially the first example):
http://us2.php.net/manual/en/function.session-destroy.php
In the one site I've made where I did use PHP sessions, I never actually destroy the session.
The problem is that you pretty much have to call session_start() to check for your $_SESSION variables, at which point, lo and behold, you've created another session anyway.
Hence on my site I just made sure that every page called session_start(), and then just unset() those parts of the session state that matter when the user logs off.
$_SESSION = [];
#unset($_COOKIE[session_name()]);
session_destroy();