Deleting old session cookie not working

[tork]

Here's my original script:

 

session_name('2010'); // to name the session

session_start(); // 2010 session starts - either found or created
 

Firebug shows the correct session cookie:

 

2010 and expiry data

 

Script changed to:

 

session_name('2013'); // to name the session

session_start(); // 2013 session should cause the 2013 session cookie to be created
setcookie(session_name('2010'), '', time()-3600, '/', '.site.com'); // old session cookie 2010 should be deleted

 

Firebug still shows the 2010 session cookie and not the 2013 session cookie:

 

2010 and expiry data - no change to expiry data or cookie name.

 

How can I delete the 2010 session cookie and create the new 2013 session cookie?

 

 

 

[tork]

And .. php.ini has the following parameters set:

 

; http://php.net/session.use-only-cookies
session.use_only_cookies = 1

 

; http://php.net/session.name
session.name = PHPSESSION

 

; http://php.net/session.cookie-lifetime
session.cookie_lifetime = 30

[mentalist]

???

http://stackoverflow.com/questions/3989347/php-why-cant-i-get-rid-of-this-session-id-cookie

[tork]

I'm not sure what you're trying to say. If I use session_delete(), it will have to come after the session_start() and will delete the new session. The cookies are all session cookies and were not set using setcookie.

Can you explain what you mean please?

[mentalist]

The necessity to provide exactly the same parameters except time and to try using session_get_cookie_params() as in the example shown on that page...

[tork]

I wrote the following into my script, as per your reference:

 

$params = session_get_cookie_params();
setcookie(session_name(), '', 0, $params['path'], $params['domain'], $params['secure'], isset($params['httponly']));
 

However, the cookies weren't deleted until I changed the php.ini parameter ; http://php.net/session.name to the session_name of the session cookie that I believe I had created it with. I was trying to delete it with the session.name PHPSESSION in php.ini.

 

Is this what you expected, mentalist?

[Ch0cu3r]

Dont use setcookie() to affect the actual session cookie.

 

If you want to rename the session cookie use session_name() before you call session_start(). If you want to stop the session call session_destroy(). You cannot delete the cookie, you can only make it invalid. If the session is destroyed any session values are also cleared.

[tork]

Thanks Ch0cu3r.

So what I've done to stop the current cookie and start a newly named one follows. Is this correct?

What actaully removes the old cookies? (I'm thinking they could accumulate to whatever max is allowed in the browser).

 

// Identify the session that needs destroyed (if it is not identified, then the default session name in php.ini will be used - eg PHPSESSION)
session_name('2011');
// Start the previous session - a new session id will be generated if the current one has expired
session_start();
// Destroy the previous session - the 'destroy' doesn't remove the cookie, but simply makes the cookie invalid, and removes all session values and stops the session
session_destroy();
// Now a new session name is given
session_name('2012');
// And the new session begins
session_start();
// Never use setcookie with session cookies
 

[objnoob]

You can use setcookie to set any cookie, including a session cookie as long as no output has already been started and sent to the browser.

To modify an existing cookie, you need to make sure you use the same cookie parameters NAME, PATH, DOMAIN, SECURE, HTTP ONLY that were used to create the cookie in the first place.

 

Using 0 as the expiration time for cookie, sets the cookie to expire when the browser windows are closed.

If you want to delete the cookie before then, you should set the cookie time to expire using a time less then current time.

 

time()-3600 will set the expiration time to an hour ago, which means the cookie is expired and will be deleted by browser on the spot.

setcookie(session_name(), '', time()-3600, $params['path'], $params['domain'], $params['secure'], isset($params['httponly']));

[tork]

I appreciate your help, guys. Now it all makes sense.