PHP: delete cookie before redirect fails

Question

There are a lot of posts about that issue, nevertheless I'm unable to fix it. I try to delete a cookie in order to logoff the user in PHP and do a redirect afterwards:

    $currentCookieParams = session_get_cookie_params(); 
    session_set_cookie_params($currentCookieParams['lifetime'], '/', $currentCookieParams['domain'], $currentCookieParams['secure'], true);
    session_name("PHPAUTH");
    session_start();

    $_SESSION = array();

    if (ini_get("session.use_cookies"))
    {
        $params = session_get_cookie_params();
        setcookie(session_name(), '', time() - 42000, $params["path"], $params["domain"], $params["secure"], $params["httponly"]);
    }
    session_destroy();          

    header("Location: http://localhost/Home/Index");
    exit;

But the cookie is still there. When I disable the redirect, the cookie is deleted successfully. But with the redirect, the cookie isn't deleted anyway.

How can I ensure that the cookie is deleted with the redirect afterwards?

EDIT:

It seems my own code recreated the cookie in the next request. I want to check whether the user is still logged on and if not redirect to the login page:

        $currentCookieParams = session_get_cookie_params(); 
        session_set_cookie_params($currentCookieParams['lifetime'], '/', $currentCookieParams['domain'], $currentCookieParams['secure'], true);
        session_name("PHPAUTH");
        session_start();     

        if (!array_key_exists('angemeldet', $_SESSION) || !$_SESSION['angemeldet'])
        {
            header("Location: http://localhost/Account/LogOn");
            exit;
        }

How can I check this without recreating the cookie? Maybe a stupid question, but I'm quite confused at the moment...

Quite possibly the session cookie is being set again in the next request? — Gerry, Apr 07 '13 at 11:04
How does the file at (I guess it's index.php) http://localhost/Home/Index look like? — bestprogrammerintheworld, Apr 07 '13 at 11:38
localhost/Home/Index is not only one file, it is part of an MVC engine. The view of the action Index of the controller Home is rendered in the Layout page. But I tested it with a normal url and the problem still occured. — tklepzig, Apr 07 '13 at 12:01
@Gerry: OMG, I overlooked the obvious... It seems you're completely right. Thanks for that, I'll update my question. — tklepzig, Apr 07 '13 at 12:10
I don't really see why you are manipulating the session cookie to check if a user's logged in? Just set and check a session variable, for example $_SESSION['is_authenticated'] ? — Gerry, Apr 07 '13 at 13:57
I thought whenever I call session_start I must call the other stuff (session_set_cookie_params, session_name)? I refer to "*The effect of this function only lasts for the duration of the script. Thus, you need to call session_set_cookie_params() for every request and before session_start() is called*" (http://www.php.net/manual/en/function.session-set-cookie-params.php) — tklepzig, Apr 07 '13 at 15:57

score 0 · Answer 1 · answered Apr 07 '13 at 10:48

I think a header() function must be above any other kind of function. If I'm right and you still want your programming format like that, you could try if this code would work:

if (ini_get("session.use_cookies"))
{
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000, $params["path"], $params["domain"], $params["secure"], $params["httponly"]);
}
session_destroy();          

echo '<meta http-equiv="REFRESH" content="0;url=http://localhost/Home/Index">';
exit;

But of course, only if you like to do it so. I'm just giving you an example, and I'm not sure if combining <meta http-equiv="REFRESH" content="0;url=http://localhost/Home/Index"> with your syntax, would work.

Your assumption is true only if `Output Buffering` is turned off. — haim770, Apr 07 '13 at 11:05

PHP: delete cookie before redirect fails

1 Answers1