0

So I'm trying to log in and log out of my website while restricting access to all parts of the site when logged out. Here is how I initialize my session:

session_name('my_session');
session_start();
session_save_path('/tmp');

I set some vars, and then I destroy my session:

session_name('my_session');
session_start();
session_destroy();
session_write_close();

unset($_SESSION['var1']);
unset($_SESSION['var2']);

I then proceed to run session_status() on a normal page on my website:

if (session_status() == PHP_SESSION_ACTIVE) {
    die('A session is still active.');
}

And it does indeed die saying that there is still a session open.

Now, I could understand if I had some unnamed sessions floating around, but I've restarted Apache twice and deleted the sessions file in /tmp. What else can I do to negate sessions?

NobleUplift
  • 5,631
  • 8
  • 45
  • 87
  • Did you unset the session cookie? All you've done in your code is destroy the server-side stuff, but the cookie will be floating around until you delete it. – Marc B Nov 25 '13 at 21:37
  • Wait a minute, why bother unset session vars if you are destroying it anyway? – Havenard Nov 25 '13 at 21:45
  • From what I read in [this answer](http://stackoverflow.com/a/6472150/904344), session variables should be unset because they might persist past the destruction. Also, how would I ensure that the session cookie is unset? – NobleUplift Nov 25 '13 at 21:51
  • According to [this answer](http://stackoverflow.com/a/2241779/904344), I shouldn't try to manually remove cookies (though I just did, no change). – NobleUplift Nov 25 '13 at 22:08

1 Answers1

2

Can you try it using session_write_close because session_destroy will end the session when the script ends.

If you want to be sure that destroy the session you can use session_regenerate_id, this will override the current session with a new empty one.

Another common issue in my experiences is if your logout page, not match the same domain cookie rule, and cannot delete it from this page.

mcuadros
  • 4,098
  • 3
  • 37
  • 44
  • session_write_close made no change. I'll try to regenerate the id now. My login and logout code is in the same class and called in the same location. – NobleUplift Nov 25 '13 at 21:54
  • `session_regenerate_id` says it will replace the current session id with a new one, and _keep the current session information_, so I don't think that will work. – NobleUplift Nov 25 '13 at 22:01
  • session_regenerate_id(true) and maybe session_unset(), but anyways this are fixes for another problem – mcuadros Nov 25 '13 at 22:23