I'm trying to correctly log out of an admin user. Here is my function:
function logout()
{
$_SESSION = array(); //destroy all of the session variables
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_destroy();
}
Basically, once I authenticate the password, I set the session as being valid (only 1 user total). Now, when the admin hits logout, I want to destroy the current session, and also destroy the cookie, so that they can't just go back to the admin page using the stored session cookie in the browser. but my code doesn't work. i hit logout, and i can just directly navigate back to the admin page. however, if i delete my cookies, the functionality is perfect. so what's wrong with the cookie deleting function here?
If you really want to cover all bases try doing:
setcookie (session_id(), "", time() - 3600);
session_destroy();
session_write_close();
That should prevent further access to the session data for the rest of PHP execution. The browser may still show the cookie being set however the $_SESSION super will be blank
Maybe your problem is not the cookie, but the browser showing a cached version of your admin page. Could that be? If it disappears when you hit F5, it's probably that. This can be sorted by setting the right cache-control headers.
Check out this SO question on the issue of how to set caching. The question is about exactly the other way round (forcing browsers to cache) but you'll figure out what to change to turn caching off.
Just a tip for others who are having issues expiring session cookies:
PHP - why can't I get rid of this session id cookie?
Always use session_get_cookie_params() as in the answer to the question in the link above.
Related
Though this question has multiple duplicates i could not find proper solution for me.
Need Some help.
I have used ini_set('session.cookie_lifetime', 0); in my configuration file.
But it is not helping me to destroy session on browser close.
Application current flow:
1) In authentication page if user is valid, generate new session identifier using session_regenerate_id(true);
2) Control goes to welcome.php where i start new session using session_start();
3) in logout page code is
$_SESSION = array();
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
This might help you,
session_set_cookie_params(0);
session_start();
Your session cookie will be destroyed... so your session will be good until the browser is open. please view http://www.php.net//manual/en/function.session-set-cookie-params.php this may help you.
Use a keep alive.
On login:
session_start();
$_SESSION['last_action'] = time();
An ajax call every few (eg 20) seconds:
windows.setInterval(keepAliveCall, 20000);
Server side keepalive.php:
session_start();
$_SESSION['last_action'] = time();
On every other action:
session_start();
if ($_SESSION['last_action'] < time() - 30 /* be a little tolerant here */) {
// destroy the session and quit
}
The best way is to close the session is: if there is no response for that session after particular interval of time. then close. Please see this post and I hope it will resolve the issue. "How to change the session timeout in PHP?"
There are different ways to do this, but the server can't detect when de browser gets closed so destroying it then is hard.
timeout session.
Either create a new session with the current time or add a time variable to the current session. and then check it when you start up or perform an action to see if the session has to be removed.
session_start();
$_SESSION["timeout"] = time();
//if 100 seconds have passed since creating session delete it.
if(time() - $_SESSION["timeout"] > 100){
unset($_SESSION["timeout"];
}
ajax
Make javascript perform an ajax call that will delete the session, with onbeforeunload() a javascript function that calls a final action when the user leaves the page. For some reason this doesnt always work though.
delete it on startup.
If you always want the user to see the login page on startup after the page has been closed you can just delete the session on startup.
<? php
session_start();
unset($_SESSION["session"]);
and there probably are some more.
There's one more "hack" by using HTTP Referer (we asume that browser window was closed current referer's domain name and curent page's domain name do not match):
session_start();
$_SESSION['somevariable'] = 'somevalue';
if(parse_url($_SERVER["HTTP_REFERER"], PHP_URL_HOST) != $_SERVER["SERVER_NAME"]){
session_destroy();
}
This also has some drawbacks, but it helped me few times.
You can do it using JavaScript by triggering an ajax request to server to destroy the session on onbeforeunload event fired when we closes the browse tab or window or browser.
Use the following code to destroy the session:
<?php
session_start();
unset($_SESSION['sessionvariable']);
header("Location:index.php");
?>
If you want to change the session id on each log in, make sure to use session_regenerate_id(true) during the log in process.
<?php
session_start();
session_regenerate_id(true);
?>
If you close your browser your session is lost.
session.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser.
session.gc_maxlifetime specifies the number of seconds after which data will be seen as 'garbage' and potentially cleaned up.
ini_set('session.cookie_lifetime', 176400); // for 48 hours
ini_set('session.gc_maxlifetime', 176400); // for 48 hours
session_start();
If you are confused what to do, just refer to the manual of session_destroy() function:
http://php.net/manual/en/function.session-destroy.php
There you can find some more features of session_destroy().
I am working on a PHP project where in I need to clear the seesion on click browser close.
My project :
Index.php -> userdata.php -> reports.php ->finalreport.html
is it possible to handle session destroy?
I need to clear session , whenever user exits browser while they are in any page.
Please let me know how can we handle this.
the session is destroyed when the user closes the browser**. if you want to destroy it as soon as the user unloads the page, you could add a handler to the page unload event (something like jquery unload) and do a ajax request to a script that just clears the session.
EDIT: per OP's request, i'll add specific code.
1) in all pages (Index.php, userdata.php, reports.php, finalreport.html) add this javascript code
$(window).unload(function() {
$.get('session_destroyer.php');
});
2) in session_destroyer.php use this code (taken from php.net)
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
?>
hope this helps
** NOTE: as one commenter noted, this assumes you're using cookie-based sessions (which is the default in PHP, i think)
i have this file
secure.php
session_start();
if(empty($_SESSION['u_name'])) {
header("Location:emprego.php");
}
if(isset($_GET['logout'])) {
session_destroy();
header("Location:emprego.php");
}
$name = $_SESSION['u_name'];
?>
<li><?php echo "<a href='emprego.php?logout' id='D'>Logout</a>";?></li>
basically, if i do logout, i will be redirected to emprego.php. But if i click in back page button (arrow in browser), i can view the same page (secure.php).
my question is, why?
thanks
http://nl2.php.net/manual/en/function.session-destroy.php
Take a look at example 1 here. It clearly states that you have to clear $_SESSION as well.
if(isset($_GET['logout'])) {
unset($_SESSION['u_name']); //makes it non-existent (it does unset) that variable
session_destroy();
header("Location:emprego.php");
}
Your browser keeps a copy of the page in cache. When you click the back button, you are seeing the local cached copy, not the current page from the server. If your security is set up properly, you will not be able to do anything meaningful from that cached page.
It is for this reason that secure websites (bank sites, for example) tell you to log off and clear your cache (or close the browser) after you log out.
If you're using session cookies, also try expiring the session cookie explicitly, like this:
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
Also, going back in the browser only loads a cached copy of the page. If you tried interacting with the cached page to fetch a new page from the server, you shouldn't be able to proceed.
I recently found header_remove(); http://php.net/manual/en/function.header-remove.php
Caution: This function will remove all headers set by PHP, including cookies, session and the X-Powered-By headers.
Not sure whether this is the appropriate way to do it, but it's pretty effective for log out functionality.
All the other solutions didn't seem to work for me. However, this workaround did the trick. Basically, the code below keeps calling the logout until the logout finally succeeds:
if (isset($_GET["logout"])){
if (isset($_SESSION["username"])) {
unset($_SESSION["username"]);
session_destroy();
header("Location:/?logout=true");
exit;
}
header("Location:/");
exit;
}
I am at a total loss for words.
I allow an admin to reset their registration if reaching an error during the process. In theory, the following code should function like this:
page is reached, $adminvalidated is set based on session data. The $_SESSION array is cleared; the cookie is cleared on the consumer end; the session id is regnerated and the session is destroyed. Then the session is restarted and the previously mentioned variable is put back into Session.
the "echo" statements included below work but when I redirect to another page (commented out below), the session variables DO NOT carry over.
Yes I have started the session on the follow up page as well.
<?php
session_start();
ob_start();
if( $_SERVER['SERVER_PORT'] == 80) {
header('Location:https://'.$_SERVER['HTTP_HOST'].$_SERVER["REQUEST_URI"]);
die();
}
$adminvalidated = $_SESSION['ADMINVALIDATED'];
$_SESSION = array();
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_regenerate_id(true);
session_destroy();
session_start();
$_SESSION['ADMINVALIDATED'] = $adminvalidated;
echo $_SESSION['ADMINVALIDATED'];
/*
header("Location: ../a.php");
exit;*/
?>
In general it suffices to call session_regenerate_id(true) to change the session ID of the current session and invalidate the association with the previous session ID.
If you additionally want to clear any session data except $_SESSION['ADMINVALIDATED'], just do this:
session_regenerate_id(true);
$_SESSION = array(
'ADMINVALIDATED' => $_SESSION['ADMINVALIDATED']
);
From the manual page of session_start:
As of PHP 4.3.3, calling session_start() after the session was previously started will result in an error of level E_NOTICE. Also, the second session start will simply be ignored.
Just clear your session with session_unset, regenerate the session id and then reset your admin var. No need to destroy then restart the session.
I'm really not sure why you're going through all of these steps. session_regenerate_id() is enough on it's own to regenerate the session token and the associated cookie. The function creates a new session token and creates a new session cookie for you while preserving the values you have in the current session. Since setting a new cookie with the same name overwrites an old one isn't simply calling session_regenerate_id() enough?
Feel free to clarify things if I've missed something.
HEY GUYS
deleting cookie is a easy thing to do in php but problem is untill i get out of my browser it still exists
setcookie("PHPSESSID", false);
setcookie("PHPSESSID","",time()-31536000);
any way to delete this cookie whithout need of closing the browser ?!
so what do u think ?!
Cookie headers are only sent as soon as the user laods a new page. So just unsetting the browser server side will not delete it on the client.
Also be aware of the domain. You should always use a fourth parameter to set a cookie for all paths on your site. If you don't do that, a cookie from a subfolder might still exists.
You can check with cookies are set using some JavaScript function or the Web Developer Toolbar for Firefox.
Properly destroy the session and set the session cookie var to expire in the past.
From the PHP.net manual on session destroy:
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
?>