Jump to content

Correctly Destroy


hackalive

Recommended Posts

I set it like this:

 

session_name('s');
session_set_cookie_params(2*7*24*60*60);

session_start();

 

So how would I destroy that?

 

Or is there any easy way to destroy ALL cookies and sessions for a domain (e.g., ".mydomain.com" - thats how I am setting them all).

Link to comment
Share on other sites

I set it like this:

 

session_name('s');
session_set_cookie_params(2*7*24*60*60);

session_start();

 

So how would I destroy that?

 

Or is there any easy way to destroy ALL cookies and sessions for a domain (e.g., ".mydomain.com" - thats how I am setting them all).

 

Did you call session_start(); before session_unset and session_destroy? If not, it doesn't have know what the values are that it should be unsetting and destroying.

 

session_start should essentially be read as, check to see if there's already a session started, if so continue it; if not, start a new one.

Link to comment
Share on other sites

Doing:

 

session_start();
session_unset();
session_destroy();

 

merely creates a new session named PHPSESSID and does not unset the "s" session or the one it created.

 

 

This:

session_name('s');
session_start();
session_unset();
session_destroy();

 

Stops it creating the new session I discuss above, but it still does not destroy the "s" session.

Link to comment
Share on other sites

This

session_name('s');
session_start();
setcookie (session_id(), "", time() - 3600);
session_destroy();
session_write_close();

 

OR

 

session_name('s');
session_start();
setcookie (session_id('s'), "", time() - 3600);
session_destroy();
session_write_close();

 

Does not work either

Link to comment
Share on other sites

Firefox on Mac & PC - Also Safari on Mac

 

So its clear: this is how I am setting up the session etc

<?php

        session_name('s');

session_set_cookie_params(2*7*24*60*60);

session_start();

        $_SESSION['active'] = '1';

        $_SESSION['user'] = '50';

?>

Link to comment
Share on other sites

Do you have php's error_reporting and display_errors set so that you would know if your session_start() statement is working or not? The session_start would need to be successful before you can modify or delete the corresponding session data. Also, your session_set_cookie_params settings is not setting the cookie path to anything, so the session id cookie will only match the path where it was set. You can then only access that session data in the same path where it was set at. If your log-out code is in a different path from the log-in code, you won't we able to destroy the session data. You should normally set the cookie path to '/' so that the cookie will match all paths under your domain.

 

Also, you should not care if regular/session cookies exist or not to determine if someone is logged in. You should be solely using a value on the server to determine if someone is logged in or not. Doing so will mean that you don't care if a cookie exists or not and you won't need to waste time trying to delete cookies (anyone can make a copy of a cookie and restore it after you have deleted it.)

Link to comment
Share on other sites

Do you have php's error_reporting and display_errors set so that you would know if your session_start() statement is working or not? The session_start would need to be successful before you can modify or delete the corresponding session data. Also, your session_set_cookie_params settings is not setting the cookie path to anything, so the session id cookie will only match the path where it was set. You can then only access that session data in the same path where it was set at. If your log-out code is in a different path from the log-in code, you won't we able to destroy the session data. You should normally set the cookie path to '/' so that the cookie will match all paths under your domain.

 

Also, you should not care if regular/session cookies exist or not to determine if someone is logged in. You should be solely using a value on the server to determine if someone is logged in or not. Doing so will mean that you don't care if a cookie exists or not and you won't need to waste time trying to delete cookies (anyone can make a copy of a cookie and restore it after you have deleted it.)

 

Can you provide a link that shows how to implement a login system based on your db-centric idea? Or can you detail out it implementation more?

Link to comment
Share on other sites

db-centric idea

 

Nothing I wrote was db-centric. Setting/clearing a server-side session variable to indicate the logged-in/logged-out state is perfectly fine for a simple log in script.

 

A more advanced log in script, with user permissions/roles, a remember-me feature, or the ability to ban users would require that you store the logged in state and permission information in your user table and query that table on each protected page to identify the user (remember-me feature) or to get the user's current state/permissions.

 

Get your current log-in/log-out script working first.

Link to comment
Share on other sites

okay well if you can give a link to a login script that uses the db to record if you are in or not - I am yet unable to find such a script

 

Also

 

login.php

session_name('s');
session_set_cookie_params('2*7*24*60*60','/');
session_start();
$_SESSION['active'] = '1';
$_SESSION['user'] = '50';

 

"cookies details"

Name: s

Content: .....

Domain: mydomain.com

Path: /

 

(Domain/Path: .mydomain.com/) - this one from FF on PC - above is FF on Mac

 

logout.php

session_name('s');
session_start();
session_unset();
session_destroy();

 

 

ALSO

ini_set('display_errors',1); 
error_reporting(E_ALL);

session_name('s');
session_start();
session_unset();
session_destroy();

returns no errors - just a blank page.

Link to comment
Share on other sites

I don't know how you initiate a logon in your system, but I simply make a $_SESSION['logged_in'] = true and always check if that variable exists to see if user is online.

 

During logoff, $_SESSION = array() will remove that variable and the user will be logged off. The session is still there but with no variables. Why would this method not work for you?

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.