Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I delete PHPSESSID on client computers

Tags:

php

session

UPDATE ON THE PROBLEM:

  • On some browsers, we have two PHPSESSIDs.
  • One PHPSESSID is not set by me anywhere in my script
  • It has HOST (instead of DOMAIN for the PHPSESSID I set) as www.mywebsite.com
  • I have tried deleting it using setcookie: setcookie ("PHPSESSID", $_COOKIE['PHPSESSID'], time() - 864000, '/', 'www.mywebsite.com'); but this fails.
  • An attempt to delete cookie using: setcookie ("PHPSESSID", $_COOKIE['PHPSESSID'], time() - 864000, '/'); results in the PHPSESSID I set being deleted.
  • I have tried using session_name to rename the SESSION I set. This works but crashed my server severally after some minutes.
  • I am out of options.

I am working with PHP sessions on my website.

The session path was /folder, later on I changed to / to fit the new purpose.

Now, old users cant login.

It seems they now have two PHPSESSIDs stored on their browsers - one with path /folder and the other /.

What can I do to ensure that old users can login while ensuring that the session is sitewide with "/".

MORE INFORMATION

When I said two phpsessionid, refer to the image

the two PHPSESSID

  1. The login works if I use

A. session_set_cookie_params(864000, '/cv', '.website.com', 0, 1);

but fails to work if I use:

B. session_set_cookie_params(864000, '/', '.website.com', 0, 1);

  • If I use Version 2A above, the session will only be available in /cv and not be available in other website folders eg. /folder.

UPDATE ON DELETING PHPSESSID WITH JAVASCRIPT

  • When I run alert(document.cookie), it shows all cookies except the PHPSESSID
  • Hence all attempts to delete the PHPSESSID cookie fails, whereas other cookies can be deleted.

UPDATE ON DELETING PHPSESSID WITH PHP

  • When I var_dump($_COOKIE['PHPSESSID']); what is returned is the value of the PHPSESSID with path /cv
  • An attempt to delete with setcookie ("PHPSESSID", "", time() - 3600); fails.
like image 301
Ogugua Belonwu Avatar asked Nov 04 '15 09:11

Ogugua Belonwu


People also ask

Where is Phpsessid stored?

PHP Default Session Storage (File System): In PHP, by default session data is stored in files on the server. Each file is named after a cookie that is stored on the client computer. This session cookie (PHPSESSID) presumably survives on the client side until all windows of the browser are closed.

What does Phpsessid mean?

PHPSESSID – The PHPSESSID cookie is native to PHP and enables websites to store serialised state data. It is used to establish a user session and to pass state data via a temporary cookie, which is commonly referred to as a session cookie. (


1 Answers

I think you are mixing up things or you should go into more detail about your setup/problem.

PHP's session path is the location where session data is stored on your server, not the client. See the documentation: https://secure.php.net/manual/en/session.configuration.php#ini.session.save-path

You can move these files and replace/keep in case of collisions how you see fit. This is pretty much only restricted by read/write-permissions you have when accessing/moving stuff and your webserver-user (e.g. apache or nginx) or php-user has for reading/writing them from/to the new location.

If by "PHPSESSID in their browser" you mean the session id is part of your urls, that is a different PHP-setting, that should be disabled anyway, see notice in the documentation: https://secure.php.net/manual/en/session.configuration.php#ini.session.use-trans-sid

edit based on your updated question:

There already is a nice JS-based solution for expiring the old cookie. I would go with that. if you can't just do that, you could do a redirect to /cv have a php-script there that reads the cookie and stores the data somewhere (a database for example based on the user_id) and expire the cookie. Then you can redirect to the old page, look for the "/"-cookie and restore the data. It's a very ugly hack, but I don't think you can get the cookie for each path in PHP, since it's server side and based on the session id provided by the client (but I might be wrong).

like image 131
dbrumann Avatar answered Sep 25 '22 12:09

dbrumann