setcookie ()

[Clinton]

Ok, when I click the logout button this gets executed and the session ends.

 

if (isset($_COOKIE[session_name()])) {
    setcookie(session_name(), '', time()-42000, '/');

 

However, if the browser closes, or even when the computer restarts, the session still remains if I do not logout. How do I fix this? Do I have to put the setcookie on every page...???

[Adam]

You're setting the expiry time for the "session cookie" to an un-natural amount of time (I believe is the problem).

 

When you use session_start(); the cookie will be automatically created. When you use session_destory(), close the browser or make no action for x amount of time; the cookie is destroyed. You never need to use setcookie(); for a session cookie!

 

A

[monkeytooth]

Matter of opinion on this, i think sessions are more cleaner anyway.. little less exploitative as well i think, as everything is contained server side.. beside if someones got a browser set to ignore cookies then cookies wont work, its rare now adays as sooo many sites use cookies.. but still lol.. anywho this is just opinion so ill leave off on that.

 

and if you wanna set a timeout for a session you can still do that too, where if the user idles to long and then comes back if the time has been x from the last time then boot then destroy the session. Can do this with PHP/Javascript (AJAX) too so it just keeps checking and does its thing regardless of naving around. But im lazy so i dont..

[Clinton]

Well regardless of cookie time if a browser is closed the sessions generally kill, at least most websites I have been on. Mine's not doing that and I prefer it that way. Other than that they could stay logged in for eternity, which is fine with me hence the unusually long time.

[PFMaBiSmAd]

 

He is using a session and is attempting to delete the session id cookie.

 

Deleting cookies and destroying sessions... to log someone out is a waste of processing time, results in overly complicated code, and is the least secure way of logging someone out.

 

The simplest and most secure way of logging someone in/out is to store the logged in/out status in your user table in your database. The session should just identify who the visitor is and point to correct row in the user table. If using a cookie to identify a visitor, generate a unique id that is stored in the cookie and in the user table (for authentication purposes don't store row/user id numbers or user names in a cookie.) Simple, yes? This also prevents session hijacking of someone that is logged out (session hijacking of someone who is logged in is a different problem.)

 

Edit: A session should only be used to identify a visitor for short term log in (one browser session.). A cookie should be used to identify a visitor for long term use (a remember me function.)

[Clinton]

So if bob logs in then I store a 'yes', for example, in a table specifically designed to indicated bob's logged in status. But again, what happens if he closes his browser without logging out? How does the db update then?

 

I thought I was just setting sessions but my sessions weren't dying when I unset them so I used the whole cookie deal and wah-lah it works. See http://www.phpfreaks.com/forums/index.php/topic,232287.0.html

[revraz]

Since when is session_destroy and setcookie considered overly complicated?

 

 

Deleting cookies and destroying sessions... to log someone out is a waste of processing time, results in overly complicated code, and is the least secure way of logging someone out.