Correctly Destroy

[hackalive]

Hi guys,

 

I have a PHP session/cookies that I use as a login mechanism.

However it seems that:

 

session_unset();
session_destroy();

 

is not killing the sessions & cookies

 

any ideas?

 

Cheers

[silkfire]

To properly destroy a session, you do like this:

 

$_SESSION = array();

 

To properly destroy a cookie, set the cookie again but with time somewhere in the past, for example -30 days ago.

[hackalive]

I set it like this:

 

session_name('s');
session_set_cookie_params(2*7*24*60*60);

session_start();

 

So how would I destroy that?

 

Or is there any easy way to destroy ALL cookies and sessions for a domain (e.g., ".mydomain.com" - thats how I am setting them all).

[HDFilmMaker2112]

I set it like this:

 

session_name('s');
session_set_cookie_params(2*7*24*60*60);

session_start();

 

So how would I destroy that?

 

Or is there any easy way to destroy ALL cookies and sessions for a domain (e.g., ".mydomain.com" - thats how I am setting them all).

 

Did you call session_start(); before session_unset and session_destroy? If not, it doesn't have know what the values are that it should be unsetting and destroying.

 

session_start should essentially be read as, check to see if there's already a session started, if so continue it; if not, start a new one.

[hackalive]

Doing:

 

session_start();
session_unset();
session_destroy();

 

merely creates a new session named PHPSESSID and does not unset the "s" session or the one it created.

 

 

This:

session_name('s');
session_start();
session_unset();
session_destroy();

 

Stops it creating the new session I discuss above, but it still does not destroy the "s" session.

[hackalive]

This

session_name('s');
session_start();
setcookie (session_id(), "", time() - 3600);
session_destroy();
session_write_close();

 

OR

 

session_name('s');
session_start();
setcookie (session_id('s'), "", time() - 3600);
session_destroy();
session_write_close();

 

Does not work either

[hackalive]

This is starting to really frustrate me as nothing seems to work!

[silkfire]

Hackalive did you ever try my solutions?

[hackalive]

Doing

 

logout.php

<?php

$_SESSION = array();

 

Does not work.

 

Nor does

<?	session_name('s');
session_start();

$_SESSION = array();

[silkfire]

What browser are you using?

[hackalive]

Firefox on Mac & PC - Also Safari on Mac

 

So its clear: this is how I am setting up the session etc

<?php

        session_name('s');

session_set_cookie_params(2*7*24*60*60);

session_start();

        $_SESSION['active'] = '1';

        $_SESSION['user'] = '50';

?>

[silkfire]

Hmmmm. Because Google Chrome 19 which I'm using has a stupid functionality introduced in this version to not destroy session cookies when you close the browser.

[hackalive]

Well this cookie does not delete on exit because I have set

session_set_cookie_params(2*7*24*60*60);

 

But it seems I cant get it to delete at all - even if i dont use the above line (im talking about a log-out function kill here)

[PFMaBiSmAd]

Do you have php's error_reporting and display_errors set so that you would know if your session_start() statement is working or not? The session_start would need to be successful before you can modify or delete the corresponding session data. Also, your session_set_cookie_params settings is not setting the cookie path to anything, so the session id cookie will only match the path where it was set. You can then only access that session data in the same path where it was set at. If your log-out code is in a different path from the log-in code, you won't we able to destroy the session data. You should normally set the cookie path to '/' so that the cookie will match all paths under your domain.

 

Also, you should not care if regular/session cookies exist or not to determine if someone is logged in. You should be solely using a value on the server to determine if someone is logged in or not. Doing so will mean that you don't care if a cookie exists or not and you won't need to waste time trying to delete cookies (anyone can make a copy of a cookie and restore it after you have deleted it.)

[hackalive]

Do you have php's error_reporting and display_errors set so that you would know if your session_start() statement is working or not? The session_start would need to be successful before you can modify or delete the corresponding session data. Also, your session_set_cookie_params settings is not setting the cookie path to anything, so the session id cookie will only match the path where it was set. You can then only access that session data in the same path where it was set at. If your log-out code is in a different path from the log-in code, you won't we able to destroy the session data. You should normally set the cookie path to '/' so that the cookie will match all paths under your domain.

 

Also, you should not care if regular/session cookies exist or not to determine if someone is logged in. You should be solely using a value on the server to determine if someone is logged in or not. Doing so will mean that you don't care if a cookie exists or not and you won't need to waste time trying to delete cookies (anyone can make a copy of a cookie and restore it after you have deleted it.)

 

Can you provide a link that shows how to implement a login system based on your db-centric idea? Or can you detail out it implementation more?

[PFMaBiSmAd]

db-centric idea

 

Nothing I wrote was db-centric. Setting/clearing a server-side session variable to indicate the logged-in/logged-out state is perfectly fine for a simple log in script.

 

A more advanced log in script, with user permissions/roles, a remember-me feature, or the ability to ban users would require that you store the logged in state and permission information in your user table and query that table on each protected page to identify the user (remember-me feature) or to get the user's current state/permissions.

 

Get your current log-in/log-out script working first.

[hackalive]

okay well if you can give a link to a login script that uses the db to record if you are in or not - I am yet unable to find such a script

 

Also

 

login.php

session_name('s');
session_set_cookie_params('2*7*24*60*60','/');
session_start();
$_SESSION['active'] = '1';
$_SESSION['user'] = '50';

 

"cookies details"

Name: s

Content: .....

Domain: mydomain.com

Path: /

 

(Domain/Path: .mydomain.com/) - this one from FF on PC - above is FF on Mac

 

logout.php

session_name('s');
session_start();
session_unset();
session_destroy();

 

 

ALSO

ini_set('display_errors',1); 
error_reporting(E_ALL);

session_name('s');
session_start();
session_unset();
session_destroy();

returns no errors - just a blank page.

[hackalive]

As a note:

 

This is my PHP.INI

; The path for which the cookie is valid.

; http://php.net/session.cookie-path

session.cookie_path = /

 

; The domain for which the cookie is valid.

; http://php.net/session.cookie-domain

session.cookie_domain = .mydomain.com

[hackalive]

bump

[silkfire]

Do you want to destroy a cookie or a session? And for what purpose? User logoff?

[hackalive]

As part of the logoff process - like FB does

[silkfire]

I don't know how you initiate a logon in your system, but I simply make a $_SESSION['logged_in'] = true and always check if that variable exists to see if user is online.

 

During logoff, $_SESSION = array() will remove that variable and the user will be logged off. The session is still there but with no variables. Why would this method not work for you?

[hackalive]

I have included part of the login process above if you take a look.

[Jessica]

Not according to the code you've posted.

[hackalive]

Not according to the code you've posted.

 

Look at reply #16 - login.php

 

 

(Issue STILL not resolved).