Jump to content

How to delete session cookies?


scuff

Recommended Posts

 setcookie('account', $_POST['account']); 

It seems impossible to delete this cookie! I've tried many things like:

 setcookie("account", "", time()-20000, "/", "domain.com" ); 

 setcookie("account", "", time()-20000); 

etc... could anyone tell me how to do this?

Link to comment
Share on other sites

So how could I get it to not detect that cookie anymore... I'm using

 if(isset($_COOKIE['account'])) { 

to detect it.

Yes. That is all you can do. You cannot override how browsers handle cookies. If you have set your cookie with an expired date the browser should not send the cookie on the next page request.

Link to comment
Share on other sites

Deleting a cookie or a session cookie is huge waste of effort. A cookie or a session should only identify who a visitor is. To log someone out you should depend on a value stored on your server (ideally in the user table in a database.)

Even if that's true I would still like to know how to do it..

Link to comment
Share on other sites

  • 2 years later...

unset($_SESSION  removes a session cookie and seems to be exactly what this guy was looking for.

No variable is changed here.

--

You may be very experienced and insightful, but the newbie is right on this one.

Link to comment
Share on other sites

Cookies are stored on the client side.

 

There is no way to delete a cookie via PHP unless the server is the same machine as the client.

 

You are wrong.

 

unset($_SESSION) will terminate the server's reference to the cookie, and not the cookie itself.

Link to comment
Share on other sites

unset($_SESSION  removes a session cookie and seems to be exactly what this guy was looking for.

No variable is changed here.

--

You may be very experienced and insightful, but the newbie is right on this one.

 

JonL,

  I know you are doing your best to try and help increase the knowledgebase.  This is one of those questions we get a lot where the OP was not clear and that's a big reason why this never seemed to get a satisfying conclusion.

 

Let's be clear about some web development related definitions.

 

cookie

A cookie is a key/value pair that is stored (or not) by the client (browser).  There are plenty of issues and gotchas in regards to cookies, specifically in how to set their expiration and the relevant domain that could explain problems the OP had.  Cookies are set by the browser when a request is sent to do so in the HTTP header.  So this requires that the setting of a cookie needs to occur before any output has been sent.  Once a cookie is set by a browser, it then sends the cookie data in the HTTP header of any subsequent requests, and php makes this cookie data available in the $_COOKIE superglobal array.  It's important to note the importance of HTTP headers in both cases.  You can't for example, set a cookie in your script and then go read it from $_COOKIE in the same script (chicken and egg).

 

session cookie

A cookie that will be automatically deleted when the browser "session" ends, or in other words, when the browser is closed.  A cookie is a "session cookie" when you don't specify an expiration when the cookie is created.  By default the php session id cookie happens to be a "session cookie" in that it does not set an expiration date, although like just about everything else with php sessions, this behavior can be modified.

 

php session

A php session is an automated serverside mechanism that will associate a bundle of data with a session id, and serializes/unserializes it for every request where sessions are invoked.  Note that a "session cookie" has nothing to do with php sessions.  The preferred way that the php session data is associated with a browser/user/client is through the setting of a cookie. 

 

php session variables

These are created by making an assignment to $_SESSION for an active session (one where session_start()) was called.  $_SESSION variables are just like any other array when a php script is executing, except for the fact that the values are serialized to disk (by default), and will be automatically unserialized and made available in the script in the $_SESSION superglobal array.

 

Given all the confusion possible, it is understandable that there are various ways to approach doing something in particular related either to cookies or to sessions. 

 

Again, while it was never clear from the question, many people need to know how to terminate a session, usually because they want a logout feature or redirect that clears things out.  PHP provides a way to do that:

 

session_start();
session_unset();
session_destroy();

 

Some people have claimed that the values in the $_SESSION superglob will live on in a script beyond the session destruction functions unless you assign it to an empty array.  I haven't had this problem myself so I can't speak to it.  Rather than unset($_SESSION) which will completely disable php session functionality in the rest of the script, you can instead do:

 

session_start();
session_unset();
session_destroy();
$_SESSION = array();

 

The PHP manual specifically advises against using unset($_SESSION) so I don't think we should endorse it.  I think it's worth going back to the original question.  Can you make the browser delete a "session cookie" as defined above?  The methods he tried did not include simply setting the cookie with an empty value:

 

setcookie('account', '');

 

Again it has to be emphasized that if I made that call in a script, I would still find $_COOKIE['account'] to have a value even though I requested that the client browser "overwrite it with nothing".  On further requests however, the value would not be there. 

 

It's also important to note that the OP never provided code that had anything to do with php sessions.  He seemed to be setting his own cookies and using them for whatever reasons, so discussion of $_SESSION is probably a complete tangent from the the original post.

 

 

Link to comment
Share on other sites

  • 3 weeks later...

A setcookie() statement must exactly match the parameters (name, path, domain, secure, and httponly) of an existing cookie, otherwise you are actually trying to set a different cookie.

 

For the record, the only way to actually 'delete' a cookie is to physically delete the cookie file on the client computer (for cookies that were set with a non-zero expire time) or to close all instances of the browser (for a cookie that was set with a zero expire time.)

 

Once a cookie has been set, the only thing a web-server-side script or client-side javascript can do to it is to change the value or change the expire time, by setting the same cookie again with a new value or expire time. To 'delete' a cookie in this way, you are actually either setting the value to something that will cause the cookie to be 'ignored' by code using that value or to an expire time in the past so that the browser won't send the cookie to the server with the page request.

 

@Nosbod, if your session id cookie was originally set without a domain parameter, the setcookie() statement that matches that cookie would also need to have no domain parameter.

Link to comment
Share on other sites

  • 4 years later...
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.