I'm wondering if I can delete all my website's cookies when a user click on logout, because I used this as function to delete cookies but it isn't work properly:
setcookie("user",false);
Is there a way to delete one domain's cookies in PHP?
PHP setcookie()
Taken from that page, this will unset all of the cookies for your domain:
// unset cookies
if (isset($_SERVER['HTTP_COOKIE'])) {
$cookies = explode(';', $_SERVER['HTTP_COOKIE']);
foreach($cookies as $cookie) {
$parts = explode('=', $cookie);
$name = trim($parts[0]);
setcookie($name, '', time()-1000);
setcookie($name, '', time()-1000, '/');
}
}
http://www.php.net/manual/en/function.setcookie.php#73484
$past = time() - 3600;
foreach ( $_COOKIE as $key => $value )
{
setcookie( $key, $value, $past, '/' );
}
Even better is however to remember (or store it somewhere) which cookies are set with your application on a domain and delete all those directly.
That way you can be sure to delete all values correctly.
I agree with some of the above answers. I would just recommend replacing "time()-1000" with "1". A value of "1" means January 1st, 1970, which ensures expiration 100%. Therefore:
setcookie($name, '', 1);
setcookie($name, '', 1, '/');
The provided Answers did not solve my problem,
It did not:
Remove parent domain cookies (from a.b.c; remove b.c; cookies),
Remove cookies from a higher path other then root.
My script does, see.
<?php function unset_cookie($name)
{
$host = $_SERVER['HTTP_HOST'];
$domain = explode(':', $host)[0];
$uri = $_SERVER['REQUEST_URI'];
$uri = rtrim(explode('?', $uri)[0], '/');
if ($uri && !filter_var('file://' . $uri, FILTER_VALIDATE_URL)) {
throw new Exception('invalid uri: ' . $uri);
}
$parts = explode('/', $uri);
$cookiePath = '';
foreach ($parts as $part) {
$cookiePath = '/'.ltrim($cookiePath.'/'.$part, '//');
setcookie($name, '', 1, $cookiePath);
$_domain = $domain;
do {
setcookie($name, '', 1, $cookiePath, $_domain);
} while (strpos($_domain, '.') !== false && $_domain = substr($_domain, 1 + strpos($_domain, '.')));
}
}
It is not the most pretty/safe/optimal solution, so use this only if you do not known the cookie-path and/or cookie-domain's. Or use the idea in order to create your version.
make sure you call your setcookie function before any output happens on your site.
also, if your users are logging out, you should also delete/invalidate their session variables.
When you change the name of your Cookies, you may also want to delete all Cookies but preserve one:
if (isset($_COOKIE)) {
foreach($_COOKIE as $name => $value) {
if ($name != "preservecookie") // Name of the cookie you want to preserve
{
setcookie($name, '', 1); // Better use 1 to avoid time problems, like timezones
setcookie($name, '', 1, '/');
}
}
}
Also based on this PHP-Answer
You should be aware of various tracking tools like Google Analytics also use cookies on your domain and you don't want to delete them, if you want to have correct data in GA.
The only solution I could get working was to set the existing cookies to null. I couldn't delete the cookies from the client.
So for logging a user out I use the following:
setcookie("username", null, time()+$this->seconds, "/", $this->domain, 0);
setcookie("password", null, time()+$this->seconds, "/", $this->domain, 0);
Of course this doesn't delete ALL cookies.
All previous answers have overlooked that the setcookie could have been used with an explicit domain. Furthermore, the cookie might have been set on a higher subdomain, e.g. if you were on a foo.bar.tar.com domain, there might be a cookie set on tar.com. Therefore, you want to unset cookies for all domains that might have dropped the cookie:
$host = explode('.', $_SERVER['HTTP_HOST']);
while ($host) {
$domain = '.' . implode('.', $host);
foreach ($_COOKIE as $name => $value) {
setcookie($name, '', 1, '/', $domain);
}
array_shift($host);
}
Use the function to clear cookies:
function clearCookies($clearSession = false)
{
$past = time() - 3600;
if ($clearSession === false)
$sessionId = session_id();
foreach ($_COOKIE as $key => $value)
{
if ($clearSession !== false || $value !== $sessionId)
setcookie($key, $value, $past, '/');
}
}
If you pass true then it clears session data, otherwise session data is preserved.
I know this question is old, but this is a much easier alternative:
header_remove();
But be careful! It will erase ALL headers, including Cookies, Session, etc., as explained in the docs.
<?php
parse_str(http_build_query($_COOKIE),$arr);
foreach ($arr as $k=>$v) {
setCookie("$k","",1000,"/");
}
I had to add the following to the top answer to actually remove a few cookies that wouldn't go away:
foreach($_COOKIE as $cook) {
setcookie($cook, '', time()-1000);
setcookie($cook, '', time()-1000, '/');
}
Related
I've created a cookie expire time 60 days... But now I am not able to delete cooking. I am using this function to delete cookie. When I refresh page then cookie is again there.
function delete_cookie($key_name)
{
$expire = time() - 3600;
setcookie($key_name, '', $expire, '/');
unset($_COOKIE[$key_name]);
}
try this
function delete_cookie($key_name)
{
$expire = time() - 3600;
$dimain = $_SERVER['HTTP_HOST'];
setcookie($key_name, '', $expire, '/', $domain);
}
also you don't need unset()
Edit:
assuming that $key_name is the cookie name
I cant delete cookies ,it works sometimes (How it can be possible?) but if it begin to stick with not deleting bug it never will work again.I used mobile to see this and I cant delete cookie on mobile.
Codes look like this:
setcookie("cookie_name",$value,strtotime('+4year'),"/",null,null,true);
When I delete it I use below:
setcookie("cookie_token",'',strtotime('-4year'),"/",null,null,true);
I use also this to be sure:
if (isset($_SERVER['HTTP_COOKIE'])) {
$cookies = explode(';', $_SERVER['HTTP_COOKIE']);
foreach($cookies as $cookie) {
$parts = explode('=', $cookie);
$name = trim($parts[0]);
//databaseden poza bilersen poz ele
setcookie($name, '', time()-1000);
setcookie($name, '', time()-1000, '/');
}
}
session_destroy();
$session = isset($_SESSION) ? $_SESSION : '';
Have you tried to use unset function? I mean something like: unset($_COOKIE['cookieName']).
I'm trying to unset/delete/expire cookies on a logout page. However, it doesn't seem to be working. My logout script reads as follows:
require_once("database.php"); // contains session_start()
$_SESSION = array();
session_destroy();
// attempts to unset cookies go here (see below)
var_dump($_SERVER['HTTP_COOKIE']);
header("Location: ./login.php");
exit();
My three attempts to remove a specific cookie login (or all of them), are as follows:
Attempt 1:
setcookie("login", "", time() -3600, "/");
Attempt 2:
$cookies = explode(";", $_SERVER['HTTP_COOKIE']);
foreach ($cookies as $cookie) {
$parts = explode("=", $cookie);
$name = trim($parts[0]);
setcookie($name, "", time() -3600);
setcookie($name, "", time() -3600, "/");
}
Attempt 3:
unset($_COOKIE);
However my var_dump() still contains the cookies!
Also, the page you're then redirected to, login.php contains the following code:
if (isset($_COOKIE['login'])) {
echo "Still set."
}
and low-and-behold, the page displays Still set.
First of all remove all cookies from any available Cookie tools or your browser's developer tool.
Always write COOKIES as '/' with respect to entire domain of site. Path play an important role when we set/unset cookies. Use
setcookie($cookie_name, "$cookie_value", time() +3600, "/") to set and setcookie($cookie_name, "$cookie_value", time() -360000, "/") to unset COOKIES.
Further read here for about COOKIES path: http://www.w3schools.com/php/func_http_setcookie.asp
Hope it helps you
I got 3 cookies with the same name on my website.
http://clip2net.com/s/jm4CcZ
They got different paths ('/', '/call', '/call/login') and different domains ('.domain.com', 'domain.com').
Now I use several setcookie() instuctions to delete each of them.
Is there more smart way to delete them at once?
No not all at once. If you want remove the specific cookies you need to use the cookie name. If you want to unset all cookies you can use this:
// unset cookies
if (isset($_SERVER['HTTP_COOKIE'])) {
$cookies = explode(';', $_SERVER['HTTP_COOKIE']);
foreach($cookies as $cookie) {
$parts = explode('=', $cookie);
$name = trim($parts[0]);
setcookie($name, '', time()-1000);
setcookie($name, '', time()-1000, '/');
}
}
This is a function that is published on http://php.net/manual/en/function.setcookie.php#Hcom73484
I'm trying to troubleshoot a logout function for a web app. When you're logged in, the app has several cookies set for its domain. Here's the current logout procedure:
You click a link, which sends you to a logout page
The logout page runs a function that calls session_destroy() and also loops through all the cookies for the domain and sets them to expire in the past (see code below)
The logout page then redirects to a login page, which is straight HTML.
At the end of this process, all the other cookies are unset, but the PHPSESSID cookie is still there, has the same value, and is still set to expire at the end of the session.
What am I missing here?
Here's the logout function I mentioned above:
function log_out_current_user() {
// Destroy the session
if (isset($_SESSION)) {
session_destroy();
}
// Expire all of the user's cookies for this domain:
// give them a blank value and set them to expire
// in the past
if (isset($_SERVER['HTTP_COOKIE'])) {
$cookies = explode(';', $_SERVER['HTTP_COOKIE']);
foreach($cookies as $cookie) {
$parts = explode('=', $cookie);
$name = trim($parts[0]);
setcookie($name, '', time()-1000);
setcookie($name, '', time()-1000, '/');
}
// Explicitly unset this cookie - shouldn't be redundant,
// but it doesn't hurt to try
setcookie('PHPSESSID', '', time()-1000);
}
}
You are not removing it with the same parameters as it was created. Use session_get_cookie_params to obtain those. To be portable you should get the name of the cookie via session_name. Here's a small script to do that:
$params = session_get_cookie_params();
setcookie(session_name(), '', 0, $params['path'], $params['domain'], $params['secure'], isset($params['httponly']));