Unsetting $PHPSESSID

[erikbeam]

I've got a basic user login page where I start a session and pass on $_SESSION['sessionuser'] and $PHPSESSID to the next page.  The format I have is:

 

-login form (form.php)

 

-verify login (login.php)

     -here if login matches the database I <meta http...> redirect to /gallery/index.php

     -if login does not match I <meta http...> redirect them to wrong_id.php to login again

 

-just for testing I've got /gallery/index.php set to just:

 

[

<?php session_start(); ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>

<?php
echo $PHPSESSID;
echo $_SESSION['sessionuser'];
?>

 

This works fine.  It shows the random string followed by the username.  And if I close the browser and reopen to login again I even get a different $PHPSESSID.  However, if I use the same browser, or open a new tab in the same browser, and try to login, I get the new username with the old $PHPSESSID.  How do I clear $PHPSESSID as part of the login process?

 

I've tried this in the login.php file:

<?php 
if(isset($PHPSESSID)) {
    session_unset();
    session_start();
  } else {
session_start();
           }
?>

 

This doesn't seem to work.  I've also tried specifically using

 

session_unset($PHPSESSID);

 

with the same results.

[deadonarrival]

That should work, rather odd.

 

Try adding unset($PHPSESSID) to your loop.

 

Also, echo $PHPSSESSID before your if block just to check it is set.

 

Edit: in addittion to session_unset - try session_destroy() and session_regenerate_id()