cookie is not unsetting

Question

In my login script, if a user select 'remember me' it sets cookie like this:

setcookie("a", $valuea, time()+2595000, "/");
setcookie("b", $valueb, time()+2595000, "/");

and when a user (with 'remember me') select logout, the logout.php script unset cookie by the following way:

if(isset($_COOKIE['a']) && isset($_COOKIE['b'])){
setcookie("a","", time()-2595000, "/");
setcookie("b","", time()-2595000, "/");
setcookie(session_id(),"",time()-2595000, "/");
}

However, after logout the user is redirected to login page and login page checks the user login status by the following code:

if($_COOKIE['a']=='' || $_COOKIE['b']==''){
echo 'You are not logged in.'; 
}else{
echo 'You are logged in with remember me.Your cookie is: '.$_COOKIE['a'].' and '.$_COOKIE['b'];
}

But I found that user is not logged out and cookie is showing with value. I am not finding why the setcookie is not clearing the value of cookie a and b. Any idea?

Unset a cookie by only passing the cookies name. `setcookie('a');` etc. — RhapX, Jan 04 '15 at 06:49
could not understand your solution. Should I set like this: setcookie("a"); setcookie("b") ? — Abdullah Mamun-Ur- Rashid, Jan 04 '15 at 06:53
@AbdullahMamun-Ur-Rashid Yes, I will post an easier to read example. — RhapX, Jan 04 '15 at 06:53
Leggendario, yes for both cookies. Values that were I set in login script $valuea and $valueb — Abdullah Mamun-Ur- Rashid, Jan 04 '15 at 06:53
Can you check with `var_dump(headers_list());` (at the bottom of logout.php) if the cookie are really sent? — Federkun, Jan 04 '15 at 07:03
I just have checked and found the following with others headers: "Set-Cookie: a=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/" [6]=> string(68) "Set-Cookie: b=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/" — Abdullah Mamun-Ur- Rashid, Jan 04 '15 at 07:11
Seems fine to me. Can you delete the cookies from your browser (manually), then log in and log out once again? — Federkun, Jan 04 '15 at 07:20
I just have again checked and found that the header is showing deleted header twice, I dont know why: "Set-Cookie: a=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/" [6]=> string(68) "Set-Cookie: b=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/" [7]=> Set-Cookie: =deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/"[8]=> Set-Cookie: a=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/" [9]=> string(68) "Set-Cookie: b=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/" and also watched peculiar deletion in between 1st and 2nd set where there is a delete with no cookie — Abdullah Mamun-Ur- Rashid, Jan 04 '15 at 07:23
Try to comment `setcookie(session_id() ...`. Is it possible that the request is corrupted by a cookie with no name? And if so, why setcookie accepts an empty string? — Federkun, Jan 04 '15 at 07:29

score 1 · Answer 1 · answered Jan 04 '15 at 07:20

You can use session also:
Like This in the remember me function:

session_start();
$_SESSION['a'] = "valuea";
$_SESSION['b'] = "valueb";

And in the logout function:

session_unset();
session_destroy();
header("login.page")

And for checking in the login page:

if(!isset(@_SESSION['a']) && !isset($_SESSION['b'])){
     echo "You are not logged in.";
}
else{
     echo "You are logged in with " . $_SESSION['a'] . 'and' . $_SESSION['b'];
}

score 1 · Answer 2 · answered Jan 04 '15 at 23:21

Atlast I found the problem. Actually in real code, what was happening, I was checking $_COOKIE just after deletion in the same logout page (not after redirecting to login page). I forgot that the cookie is sent by the browser and if you do not go to next page, changes in cookies will not be visible to you. So, if you try this in logout.php:

//deletion of cookies
if(isset($_COOKIE['a']) && isset($_COOKIE['b'])){
setcookie("a","", time()-2595000, "/");
setcookie("b","", time()-2595000, "/");
setcookie(session_id(),"",time()-2595000, "/");
}

//checking the existence of cookies
if($_COOKIE['a']=='' || $_COOKIE['b']==''){
echo 'You are not logged in.'; 
}else{
echo 'You are logged in with remember me.Your cookie is: '.$_COOKIE['a'].' and '.$_COOKIE['b'];
}

Then it will give you false information. Although the cookies are deleted, but you will see "You are logged in ..................." because cookies which was get by php in logout.php will remain in the php memory until user moves to next page. If you check the existence of those cookies in next any page, then you will see there is no cookie (those were really deleted.)

My question is to all experts, is there any way to cross-check whether the cookies are really deleted in the same page after deletion?

score 0 · Answer 3 · answered Jan 04 '15 at 06:54

0

To clear your cookies upon logout, set them by only passing the cookie name, no values.

Like this:

setcookie('a');
setcookie('b');
setcookie(session_id());

answered Jan 04 '15 at 06:54

RhapX

1,663
2
10
17

I don't know whether this will work or not, but in everywhere I found in the internet, all the logout script set secookie with empty value. – Abdullah Mamun-Ur- Rashid Jan 04 '15 at 07:04
@AbdullahMamun-Ur-Rashid Perhaps you should give it a try and see if it works. I test all answers before posting and know it functions. – RhapX Jan 04 '15 at 07:06
No it is not working (I just have tested). I think there is some miscoding in my scripts, otherwise that was the correct way to set a cookie at past time. Your way is not documented in any where. – Abdullah Mamun-Ur- Rashid Jan 04 '15 at 07:19
@AbdullahMamun-Ur-Rashid I've tested it using your code, but updating the reset to my code and it works perfectly. Being that your way originally looked correct, it sounds like something is messing up in your scripts / server as you've stated. There needs be no documentation for my way of doing it as when you pass an empty value to a cookie, it automatically unsets it. Thus, passing an empty value and a previous unix timestamp (setting it to force expire) is doing the exact same thing. Good luck. – RhapX Jan 04 '15 at 07:26

score 0 · Answer 4 · answered Jan 04 '15 at 07:29

0

The right way to delete cookies is to set expiration date to past time and leave value empty as shown below. Browser will automatically delete such cookie. This example is also discussed on "Example #2 setcookie() delete example"

Using unset($_COOKIE['a']) will not work since it will only delete cookie value in the array, and it will appear again next time the page is loaded. And hence changes will not effect value in the browser.

<?
    setcookie("a", "", time() - 3600);
?>

answered Jan 04 '15 at 07:29

Timik

219
1
9

But OP didn't ever mention he relies on unset() - he did what you suggested before asking and made pretty clear what he did in the question. -1 for not reading the question. – Pavel V. Jan 16 '15 at 07:43

cookie is not unsetting

4 Answers4

Linked