How to delete session cookies?

[scuff]

 setcookie('account', $_POST['account']); 

It seems impossible to delete this cookie! I've tried many things like:

 setcookie("account", "", time()-20000, "/", "domain.com" ); 

 setcookie("account", "", time()-20000); 

etc... could anyone tell me how to do this?

[wildteen88]

cookies cannot be deleted. You can only set invalid cookies. The browser will not send cookies which have been expired.

[scuff]

So how could I get it to not detect that cookie anymore... I'm using

 if(isset($_COOKIE['account'])) { 

to detect it.

[wildteen88]

So how could I get it to not detect that cookie anymore... I'm using

 if(isset($_COOKIE['account'])) { 

to detect it.

Yes. That is all you can do. You cannot override how browsers handle cookies. If you have set your cookie with an expired date the browser should not send the cookie on the next page request.

[scuff]

I tried to do that but it wasn't working so could somehow tell me a code that works because the ones I tried in the first post didn't work...

[alexweber15]

I was pretty sure you could just:

 

unset($_COOKIE['varname'])

 

is there something I'm missing?

 

ps - also, instead of an empty string if I'm not mistaken you can just assign the value NULL to effectively delete the cookie (not sure about this one)

 

Alex

[scuff]

I've tried those and they didn't work. I also tried them again just incase and it still didn't work.

[scuff]

bump

[PFMaBiSmAd]

Deleting a cookie or a session cookie is huge waste of effort. A cookie or a session should only identify who a visitor is. To log someone out you should depend on a value stored on your server (ideally in the user table in a database.)

[scuff]

Deleting a cookie or a session cookie is huge waste of effort. A cookie or a session should only identify who a visitor is. To log someone out you should depend on a value stored on your server (ideally in the user table in a database.)

Even if that's true I would still like to know how to do it..

[scuff]

bump

[PFMaBiSmAd]

The setcookie() section in the php manual shows how to delete a cookie.

[scuff]

I've already looked at this http://ca.php.net/manual/en/function.setcookie.php and the ways it says to do it aren't working for me

[JonL]

Instead of unset($_COOKIE['varname'])

try

unset($_SESSION['varname']);

[wildteen88]

Instead of unset($_COOKIE['varname'])

try

unset($_SESSION['varname']);

This topic is over 2 years old.

[JonL]

Old threads need answers too.

People hit these up with Search Engines all the time.

 

[PFMaBiSmAd]

Unsetting php variables has nothing to do with the question "How to delete session cookies?"

[JonL]

unset($_SESSION  removes a session cookie and seems to be exactly what this guy was looking for.

No variable is changed here.

--

You may be very experienced and insightful, but the newbie is right on this one.

[xyph]

Cookies are stored on the client side.

 

There is no way to delete a cookie via PHP unless the server is the same machine as the client.

 

You are wrong.

 

unset($_SESSION) will terminate the server's reference to the cookie, and not the cookie itself.

[gizmola]

unset($_SESSION  removes a session cookie and seems to be exactly what this guy was looking for.

No variable is changed here.

--

You may be very experienced and insightful, but the newbie is right on this one.

 

JonL,

  I know you are doing your best to try and help increase the knowledgebase.  This is one of those questions we get a lot where the OP was not clear and that's a big reason why this never seemed to get a satisfying conclusion.

 

Let's be clear about some web development related definitions.

 

cookie

A cookie is a key/value pair that is stored (or not) by the client (browser).  There are plenty of issues and gotchas in regards to cookies, specifically in how to set their expiration and the relevant domain that could explain problems the OP had.  Cookies are set by the browser when a request is sent to do so in the HTTP header.  So this requires that the setting of a cookie needs to occur before any output has been sent.  Once a cookie is set by a browser, it then sends the cookie data in the HTTP header of any subsequent requests, and php makes this cookie data available in the $_COOKIE superglobal array.  It's important to note the importance of HTTP headers in both cases.  You can't for example, set a cookie in your script and then go read it from $_COOKIE in the same script (chicken and egg).

 

session cookie

A cookie that will be automatically deleted when the browser "session" ends, or in other words, when the browser is closed.  A cookie is a "session cookie" when you don't specify an expiration when the cookie is created.  By default the php session id cookie happens to be a "session cookie" in that it does not set an expiration date, although like just about everything else with php sessions, this behavior can be modified.

 

php session

A php session is an automated serverside mechanism that will associate a bundle of data with a session id, and serializes/unserializes it for every request where sessions are invoked.  Note that a "session cookie" has nothing to do with php sessions.  The preferred way that the php session data is associated with a browser/user/client is through the setting of a cookie. 

 

php session variables

These are created by making an assignment to $_SESSION for an active session (one where session_start()) was called.  $_SESSION variables are just like any other array when a php script is executing, except for the fact that the values are serialized to disk (by default), and will be automatically unserialized and made available in the script in the $_SESSION superglobal array.

 

Given all the confusion possible, it is understandable that there are various ways to approach doing something in particular related either to cookies or to sessions. 

 

Again, while it was never clear from the question, many people need to know how to terminate a session, usually because they want a logout feature or redirect that clears things out.  PHP provides a way to do that:

 

session_start();
session_unset();
session_destroy();

 

Some people have claimed that the values in the $_SESSION superglob will live on in a script beyond the session destruction functions unless you assign it to an empty array.  I haven't had this problem myself so I can't speak to it.  Rather than unset($_SESSION) which will completely disable php session functionality in the rest of the script, you can instead do:

 

session_start();
session_unset();
session_destroy();
$_SESSION = array();

 

The PHP manual specifically advises against using unset($_SESSION) so I don't think we should endorse it.  I think it's worth going back to the original question.  Can you make the browser delete a "session cookie" as defined above?  The methods he tried did not include simply setting the cookie with an empty value:

 

setcookie('account', '');

 

Again it has to be emphasized that if I made that call in a script, I would still find $_COOKIE['account'] to have a value even though I requested that the client browser "overwrite it with nothing".  On further requests however, the value would not be there. 

 

It's also important to note that the OP never provided code that had anything to do with php sessions.  He seemed to be setting his own cookies and using them for whatever reasons, so discussion of $_SESSION is probably a complete tangent from the the original post.

 

 

[Nosbod]

Ive had a similar problem but was able to delete the session cookie with:

 

setcookie ("PHPSESSID", "", time() - 3600, "/");

 

When I had the domain set the cookie was not deleted.

[PFMaBiSmAd]

A setcookie() statement must exactly match the parameters (name, path, domain, secure, and httponly) of an existing cookie, otherwise you are actually trying to set a different cookie.

 

For the record, the only way to actually 'delete' a cookie is to physically delete the cookie file on the client computer (for cookies that were set with a non-zero expire time) or to close all instances of the browser (for a cookie that was set with a zero expire time.)

 

Once a cookie has been set, the only thing a web-server-side script or client-side javascript can do to it is to change the value or change the expire time, by setting the same cookie again with a new value or expire time. To 'delete' a cookie in this way, you are actually either setting the value to something that will cause the cookie to be 'ignored' by code using that value or to an expire time in the past so that the browser won't send the cookie to the server with the page request.

 

@Nosbod, if your session id cookie was originally set without a domain parameter, the setcookie() statement that matches that cookie would also need to have no domain parameter.

[chris2x]

I had run into the same problem deleting a cookie set in the session, 

 

instead of setcookie("account", "", time()-20000, "/", "domain.com" );

 

use

 

setcookie("account", "", time()-20000, "/", "domain.com" , false, true);