Session doesn't unset...

[darkywarkey]

I've created a user authentication session control which is working fine. The problem I'm having is when I logout a registered user, the session appears to be unset on the first load of the page but any subsequent page loads show the user that was just logged out active again. Using php 5.2.6 and the logout script is as follows...

 

<?php session_start();
unset($_SESSION['valid_user']);
session_destroy();
?>

 

Any ideas what could cause this?  ??? ???

[jonsjava]

you could always do this:

<?php session_start();
unset($_SESSION['valid_user']);
$_SESSION['valid_user'] = false;
session_destroy();
?>

I'm not sure how much good that will do, but if for any reason your session doesn't unset, it will be set to false.

[darkywarkey]

Hmm doesn't help. Seems like something else is going on. Could some sort of cookie configuration be causing the problem?

[jonsjava]

are you using sessions, or cookies?

[darkywarkey]

Just sessions, as far as I know. I haven't written any code messing with the cookies, but I'm not too familiar with cookies or the configuration settings for them, thats the only reason I suggest that could be the problem.

[jonsjava]

if you aren't setting cookies, and your site doesn't use cookies, then I don't see how cookies could be the issue.  If you are using cookies and sessions, I don't know how to help there. I don't ever deal with cookies.

[darkywarkey]

Then I'm not using them. I wasn't sure if there was something in the php.ini that could be auto setting them. Not familiar with cookies either. Any other ideas?

[jonsjava]

try this:

<?php
session_start();
session_unset();
session_destroy();
header("location:index.php");
exit();
?>

[acidglitter]

i'm not sure, but i don't think you even need to use unset(). i think session_destroy() should be enough. on all the other pages, is there a code or file being loaded with the code that sets that session variable again?

[gizmola]

Then I'm not using them. I wasn't sure if there was something in the php.ini that could be auto setting them. Not familiar with cookies either. Any other ideas?

 

By default, PHP sessions do create cookies.  This is actually a *good thing* IMNSHO.

 

Pulled directly from the PHP manual ---

 

// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();

// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (isset($_COOKIE[session_name()])) {
    setcookie(session_name(), '', time()-42000, '/');
}

// Finally, destroy the session.
session_destroy();
?>

[darkywarkey]

try this:

<?php
session_start();
session_unset();
session_destroy();
header("location:index.php");
exit();
?>

 

Didn't work...

 

No code automatically loading the session. It's user authentication, so they have to login with a username/password, which then sets the session variable.

 

After logging out and it apparently working (the script shows a login field again, which is only shown when the session variable is unset), I try clicking the home page again and it acts as if I never logged out, showing the previous users information once again.

[acidglitter]

maybe its only your browser. does it still show that if you refresh the page / or if you clear all of your cookies then refresh the page?

[darkywarkey]

maybe its only your browser. does it still show that if you refresh the page / or if you clear all of your cookies then refresh the page?

 

Yep, it still shows. Nothing suggested so far has worked. I'm still  ???

[darkywarkey]

Figured it out!

 

Weird as this is... it was the way the various pages were being linked, as in their url's. Some links I coded without the 'www.' in front of the domain name, and some were. I guess the sessions were being kept seperate between the two url variations. Good to know.

 

Guess that goes to show you should always be consistent in coding standards.

[corbin]

Cookies are set by domain, and PHP must set it so that subdomains and domains are not considered one in the same when it sets the session cookie.