Jump to content

Closing session for good on logout

jwhite68

By jwhite68
in PHP Coding Help

 Share

Recommended Posts

per1os Member

per1os

Posted
Posted 

<?php
   session_start();
   include("dbconnect.php");	

// track logout time in statistics if user logged in
if($_SESSION['online'] && $_SESSION['LoginStatus']){	

@mysql_query("UPDATE stats_ppl_online 
         SET logout_time=now() 
         WHERE session_id='".session_id()."'");
}

// kill session
foreach ($_SESSION as $key => $val) {
     $_SESSION[$key] = null;
     unset($_SESSION[$key]); // here would of been the parse error.
}

setcookie(session_name(), session_id(), 1, '/');
unset($_SESSION);
session_destroy();

//header("Location: goodbye.php");
echo("<script type='text/javascript'>parent.location='goodbye.php'</script>");

//exit();
?>

 

If that does not completely destroy the session, maybe you have write/delete issues on the server? Are you using a shared server?

Link to comment
Share on other sites
roopurt18 Advanced Member

roopurt18

Posted
Posted

The code that I gave you shows the session is being correctly deleted.  Try this.  Run the code segment I provided again and leave out all redirects.  When the page loads, close the browser.  Then reopen it and go back to the home page.  Does it provide you with a login screen or does it treat you as still being logged in?

Link to comment
Share on other sites
per1os Member

per1os

Posted
Posted

Since you are on a shared server, I would highly recommened you look into

 

http://us2.php.net/manual/en/function.session-save-path.php

 

session_save_path()

 

As quoted from that page:

 

webmaster at gardenchemicals dot co dot uk

16-Sep-2004 07:59

This is an absolute must if you have an important login on a shared server. Without it, other users of the server can do the following to bypass login:

 

* Visit login page, browse through cookies and grab the session id.

* Create a PHP script on their account that grabs and sets session variables for a given session id.

* Read and change any values for that session id (for example passwords or session keys), and therefore gain access to the protected area.

 

All users on web hosting should choose an dir below the HTTP directory struct, but within their user area to store the session files.

 

Implementing this on your server would mean that you set where the session files are being stored. Create a directory on your server like /tmp/sess/ and use that for the storing of session files. This helps prevent a HUGE security leak that could happen, especially since you do not validate the username/password everytime you simply set the value of "loggedin" which means all I have to do is if I am on that server is get the file, modify it and I am validated for any page on your website.

 

At any rate, I would try to implement this and if all else fails for the session destroy stuff you can manually delete the session file using www.php.net/unlink

 

Shared hosting is very iffy, it sounds like they disabled permissions to delete the session data, with good reason to.

 

The code that I gave you shows the session is being correctly deleted.  Try this.  Run the code segment I provided again and leave out all redirects.  When the page loads, close the browser.  Then reopen it and go back to the home page.  Does it provide you with a login screen or does it treat you as still being logged in?

 

Closing the browser will kill the session anyways. The goal is to kill it without having to close the browser.

Link to comment
Share on other sites
roopurt18 Advanced Member

roopurt18

Posted
Posted
Closing the browser will kill the session anyways. The goal is to kill it without having to close the browser.

 

Not necessarily.  If you are using a tabbed browser and only close the tab of a site using sessions without ending the session, if you re-open the site in a new tab your session will most likely still be active.

Link to comment
Share on other sites
per1os Member

per1os

Posted
Posted

Closing the browser will kill the session anyways. The goal is to kill it without having to close the browser.

 

Not necessarily.  If you are using a tabbed browser and only close the tab of a site using sessions without ending the session, if you re-open the site in a new tab your session will most likely still be active.

 

Well yea, because closing the tab, does not close the browser. As I stated, closing the browser will kill the session data. Not just a tab within the browser but the actual browser itself.

Link to comment
Share on other sites
jwhite68 Regular Member

jwhite68

Posted
  • Author
Posted

I was able to find the solution.

 

The change is to one of the lines:

 

setcookie(session_name(), "", time() - 42000, "/", ".yourdomain.com");

 

The addition of the parameter ".yourdomain.com" fixed it (where this is actually replaced with your own domain name. Apparently you are now meant to include your domain name when dealing with cookies.

 

I found this in the following article:

http://www.searchengineforums.com/apps/searchengine.forums/action::thread/forum::coding/thread::1137559664/

 

Hope this helps others too.

 

Thanks everyone for your advice along the way.

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.