Menu
I'm trying to troubleshoot a logout function for a web app. When you're logged in, the app has several cookies set for its domain. Here's the current logout procedure:
session_destroy() and also loops through all the cookies for the domain and sets them to expire in the past (see code below)At the end of this process, all the other cookies are unset, but the PHPSESSID cookie is still there, has the same value, and is still set to expire at the end of the session.
What am I missing here?
Here's the logout function I mentioned above:
function log_out_current_user() {
// Destroy the session
if (isset($_SESSION)) {
session_destroy();
}
// Expire all of the user's cookies for this domain:
// give them a blank value and set them to expire
// in the past
if (isset($_SERVER['HTTP_COOKIE'])) {
$cookies = explode(';', $_SERVER['HTTP_COOKIE']);
foreach($cookies as $cookie) {
$parts = explode('=', $cookie);
$name = trim($parts[0]);
setcookie($name, '', time()-1000);
setcookie($name, '', time()-1000, '/');
}
// Explicitly unset this cookie - shouldn't be redundant,
// but it doesn't hurt to try
setcookie('PHPSESSID', '', time()-1000);
}
}
804
If you want to unset all of the values, you can just run a session_destroy() . It will unset all the values and destroy the session. But the $_SESSION array will still work in the same page after session_destroy() . Then you can simply run $_SESSION = array() to reset it's contents.
A session ID is a unique number that a Web site's server assigns a specific user for the duration of that user's visit (session). The session ID can be stored as a cookie, form field, or URL (Uniform Resource Locator). Some Web servers generate session IDs by simply incrementing static numbers.
PHP Sessions Sessions are an alternative to cookies. A session is usually a file or database record on the server side which contains the small pieces of data which the server wants to store for each user.
You can also login without Cookies only by Session Id and Time, but you have to write them both in your Database direct after Successful Login. I have in index. php something like this that will always generate a new session id based on time and the old session id if conditions are not verified.
You are not removing it with the same parameters as it was created. Use session_get_cookie_params to obtain those. To be portable you should get the name of the cookie via session_name. Here's a small script to do that:
$params = session_get_cookie_params();
setcookie(session_name(), '', 0, $params['path'], $params['domain'], $params['secure'], isset($params['httponly']));
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
