1

Good day,

I'm having some trouble with a simple login system I've been piecing together. It works flawlessly in Firefox and Chrome, but for the life of me I can't seem to end the session in IE10 on Windows 8.

Here is the code I am using for the logout. I've tried a few variations here, nothing seems to work. 

    <?
session_start(); 
include("database.php");
include("login.php");

//deletes cookies by setting the time in the past, negative to what was done while creating the cookie
if(isset($_COOKIE['cookname']) && isset($_COOKIE['cookpass'])){
   setcookie("cookname", "", time()-60*60*24*100, "/");
   setcookie("cookpass", "", time()-60*60*24*100, "/");
}

?>

<html>
<title>Logging Out</title>
<body>

<?

if(!$logged_in){
   echo "You are not currently logged in, logout failed. Please click <a href='http://www.website.ca/admin'>here</a> to login.";
}
else{
//Kill session variables (could use some work)
   unset($_SESSION['username']);
   unset($_SESSION['password']);
   $_SESSION = array(); // reset session array
   unset($_SESSION); //new code to unset session array 
   session_destroy();   // destroy session.

   echo "You have successfully <b>logged out</b>. You will be automatically redirected.";
   echo '<script type="text/JavaScript">setTimeout("location.href = \'http://www.website.ca/admin\';",2000);</script>';
}

?>

</body>
</html>

Here is the code I'm using to authenticate the pages, I'm putting this as the first lines in all the pages I want to password protect:

<? 
//includes
session_start(); 
include("database.php");
include("login.php");

//chcek if logged in
if (!$logged_in){
 die("You must be logged in to view this page. Click <a href='http://www.website.ca/admin'>here</a> to login.");
} else {
  }
?>

Any ideas?

I'm getting the following errors:

Warning: Unknown: open(/var/php_sessions/sess_7a91f7a2f211673ba26734a04f96586b, O_RDWR) failed: No such file or directory (2) in Unknown on line 0 Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/var/php_sessions) in Unknown on line 0

Jeff
  • 13
  • 4
  • Why are you bothering with anything else other than just `session_destroy`? Why are you manually using cookies? – Jon Nov 08 '13 at 22:19
  • I tried using only session_destroy, it didn't work either. I'm not sure what you mean by manually using cookies, could you explain? – Jeff Nov 08 '13 at 22:25
  • "Didn't work" means nothing because you have not explained *how it does not work*. Manually using cookies = working with `$_COOKIE` and `setcookie`. – Jon Nov 08 '13 at 22:28
  • My apologies. When I tried the code simply using only session_destroy, it would still fail to kill the session in IE 10 on Windows 8. Works fine in IE 10 on Windows 7. I've been out of the game for awhile, haven't touched code in a few years. What do you suggest I use instead of $_COOKIE and setcookie? I'll do some reading. – Jeff Nov 08 '13 at 22:29
  • Search for "headers already sent" (about a billion hits here on SO) and make sure you develop with `display_errors` enabled. TL;DR: you are not allowed to produce *any output at all* before starting or destroying a session. – Jon Nov 08 '13 at 22:43
  • Thanks for this. I'll play around with it sometime tomorrow. Still interested in hearing more ideas. – Jeff Nov 08 '13 at 22:46
  • while authentication, always use require_once instead of include ! – Shivanshu Nov 08 '13 at 22:55
  • I added the error messages I'm getting to the original post. Still can't figure this out, works in every browser but IE10 on Windows 8. – Jeff Nov 09 '13 at 16:10
  • What strikes me is the error "failed to write session data (files)" - this is absolutely independent of the OS on the client side. – ErnestV Nov 09 '13 at 16:32
  • It's extremely bizarre. It appears to work flawlessly in all other browsers and OS'. IE10 is handling something very differently. I see what it's doing, but I can't explain it. – Jeff Nov 09 '13 at 16:36
  • http://stackoverflow.com/questions/15115917/ie10-sharing-cookies-across-subdomains-by-default This SO post seems to describe what I'm experiencing. Despite modifying the cookie in my logout script, changing its value and setting the time in the past, IE still holds onto the existing cookie. The problem is with cookies, not sessions. – Jeff Nov 09 '13 at 16:59

1 Answers1

0

Resolved the issue by adding a sixth parameter to setcookie();, Firefox, Chrome and Opera all appear to automatically set the sixth field to your domain name. IE10 doesn't do this and appears to get lost without it when trying to handle the cookie. This needs to be done when setting the cookie and when trying to modify it as well.

Broken code:

   setcookie("cookname", "", time()-60*60*24*100, "/");
   setcookie("cookpass", "", time()-60*60*24*100, "/");

Working code:

   setcookie("cookname", "", time()-60*60*24*100, "/", "YOURDOMAIN.COM");
   setcookie("cookpass", "", time()-60*60*24*100, "/", "YOURDOMAIN.COM");
Jeff
  • 13
  • 4