Cant delete the session cookie.

[markkanning]

Will someone PLEEEEEEEEEEEEZ help me with this...

 

I've got a logout script that's trying to delete a session. It works fine in IE. However, Firefox stores the session "PHPSESSID" as a cookie, too, which I CANNOT figure out how to delete and I've applied every session/cookie-killing code to it I can possibly find!

 

Here it is...

<?php 
//***KILL SESSION - THIS WORKS FOR IE7, BUT DOESN'T KILL THE 'PHPSESSID' COOKIE IN FIREFOX

session_id('stationid');
session_start();
session_unregister('stationid');
$_SESSION = array();
session_destroy();

//***KILL SESSION 'PHPSESSID'

//***I've tried "session_id("PHPSESSID")" and "session_id($_SESSION['PHPSESSID'])" to name the session id to no avail
session_id($_SESSION['PHPSESSID']);
session_start();
setcookie ("PHPSESSID", $_SESSION['PHPSESSID'], time()-$maxlifetime, "/", "www.mydomain.com", 0);
session_unregister($_SESSION['PHPSESSID']);
unset($_SESSION['PHPSESSID']);
$_SESSION = array();
session_destroy();


setcookie ("cookieid", $userid, time()-$maxlifetime);
include ($_SERVER['DOCUMENT_ROOT'].'/layout.php');
adminHeaderRefresh();
echo "<table border=\"0\" cellpadding=\"2\" cellspacing=\"0\" align=\"center\" style=\"width:38px;margin:50px auto 0 auto;\"><tr><td><img src=\"/images/lockiconfilling.gif\"></td></tr></table>";
adminBoxSecurity();
echo "<center><h1>LOGGING OUT...</h1><br>If this page does not refresh in 3 seconds, <a href=\"/index.php\">click here</a>.</center>";
adminFooter();
exit();

?>

 

None of that works to kill the session/cookie "PHPSESSID" in Firefox. AAAAAAAAAARGH!!!!

 

help                                me                                please.

[Jessica]

You don't HAVE to delete that cookie. That's just the session ID, and as long as you're not basing your sessions on the ID's, you'll be fine.

[wildteen88]

YOu cannot delete cookies of off the clients computer. Also when you destroy the session the cookie will be invalid as its tied to the session. If the session is invalid so is the session id in the cookie, this the cookie is invalid

[markkanning]

All good points, fellows. I just had a thought in messing around with this:

Is it possible that Firefox is caching the index/login page differently than IE is? I ask that because after going through the logout page in IE7, I'm successfully returned to the login page as intended. In Firefox, however, you go through the logout page and it returns you to the index page as though you're already logged-in.

 

Is there a way to dump a cached page on logout?

[The Bat]

YOu cannot delete cookies of off the clients computer.

 

Say what? You can, using the 'time()-[specified seconds]' parameter in the setcookie() function.

[markkanning]

wildteen88 has pointed out the obvious. If deleting cookies off a clients computer wasn't possible, then what is this for:

setcookie ("cookieid", $userid, time()-$maxlifetime);

?

 

But this is beside the point. The point is why are Firefox and IE behaving differently in regard to this logout?

[Jessica]

Because they are different browsers.

 

session_id('stationid');

session_start();

session_unregister('stationid');

 

Are you using code like this in the rest of your site? Try never setting a session id, and don't use session_register, etc. just use $_SESSION

 

You can also use these header commands

header('Pragma: no-cache');

header('Cache-Control: no-cache, must-revalidate, max_age=0');

header('Expires: 0');

[markkanning]

I've actually seen session_unregister and session_id used in a number of login/logout examples all over the web. Why should one NOT use them?

[Jessica]

Read the page on  php.net/session_unregister

From the manual: php.net/session_id

Note:  When using session cookies, specifying an id  for session_id() will always send a new cookie when session_start() is called, regardless if the current session id is identical to the one being set.

 

They're older ways of using sessions, which may still work for some things, but should be avoided, like using register_globals

 

"Use of $_SESSION (or $HTTP_SESSION_VARS with PHP 4.0.6 or less) is recommended for improved security and code readability. With $_SESSION, there is no need to use the session_register(), session_unregister(), session_is_registered() functions. Session variables are accessible like any other variables."

[markkanning]

jesirose, much obliged!

 

I'll try just using $_SESSION. And I'm also in the middle of attaching the meta info you suggested, just in case.

[wildteen88]

wildteen88 has pointed out the obvious. If deleting cookies off a clients computer wasn't possible, then what is this for:

setcookie ("cookieid", $userid, time()-$maxlifetime);

?

 

But this is beside the point. The point is why are Firefox and IE behaving differently in regard to this logout?

It doesn't delete it, but makes the cookie unvalid. The cookie is still there on the clients system. But the browser just ignores it. In order to delete it the client must do it themselves.