Jump to content

Correctly Destroy


hackalive

Recommended Posts

Well when I log-out the cookie should delete - it is currently not deleting no matter all the code I try (above).

 

 

@PFMaBiSmAd

If you can provide a link to a script/tutorial for the correct login/logout procedure you outlined before that uses db & sessions/cookies I am more than willing to chuck my code out and use yours.

(As a side note what do you think of this http://www.devshed.com/c/a/PHP/Creating-a-Secure-PHP-Login-Script/)

Link to comment
Share on other sites

cookie should delete

 

Why would you need to do that? Deleting the session variable that your code uses to indicate the logged in state is enough.

 

Also, php cannot actually delete a cookie. All you are actually doing is setting the cookie's expire time in the past so that the browser no longer sends it to the server with the page request. The cookie is still present on the client's computer. The only actual way of deleting a cookie is to delete the cookie file by going to the computer and using the browser or the file system to delete it.

 

To 'delete' a cookie you must use the same name, path, domain, secure, and httponly parameters in the setcookie() statement that were used when the cookie was created. Otherwise, you are actually trying to set a different cookie.

Link to comment
Share on other sites

During logoff, $_SESSION = array() will remove that variable and the user will be logged off.

logout.php

session_name('s');
session_start();
session_unset();
session_destroy();

 

 

ALSO

ini_set('display_errors',1); 
error_reporting(E_ALL);

session_name('s');
session_start();
session_unset();
session_destroy();

returns no errors - just a blank page.

 

No, it's NOT.

Link to comment
Share on other sites

cookie should delete

 

Why would you need to do that? Deleting the session variable that your code uses to indicate the logged in state is enough.

 

Also, php cannot actually delete a cookie. All you are actually doing is setting the cookie's expire time in the past so that the browser no longer sends it to the server with the page request. The cookie is still present on the client's computer. The only actual way of deleting a cookie is to delete the cookie file by going to the computer and using the browser or the file system to delete it.

 

To 'delete' a cookie you must use the same name, path, domain, secure, and httponly parameters in the setcookie() statement that were used when the cookie was created. Otherwise, you are actually trying to set a different cookie.

 

Of course your going to provide a link to a login script that matches all of this and the db stuff your discussed previously.

Link to comment
Share on other sites

So you tried doing

 

$_SESSION = array();

 

in your logoff script?

 

 

 

What he was talking about is not relying on a COOKIE for determining if someone is logged in, but only using the SESSION (which is stored on your server, not in a database). You shouldn't check if the cookie is set, you should check the session. It's that simple.

 

 

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.