2

I've managed to mangle my cookie string in IE so badly, it now looks like this:

"; __atuvc=4%7C7; PHPSESSID=e4db10eb5d4409ba3203a7c1d533fafd; PHPSESSID=75a04bdcf604dd607d383da774c0f72a; __utmc=51433896; __utma=51433896.100703801.1392175783.1392175783.1392178863.2; __utmb=51433896.5.10.1392178863; __utmz=51433896.1392175783.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __atuvc=3%7C7"

That's the output of typing document.cookie into the IE11 developer bar.

You will notice PHPSESSID is in there twice. I want to kill it.

I've tried running this in JavaScript:

document.cookie = 'PHPSESSID=; expires=Thu, 01 Jan 1970 00:00:01 GMT;';

And running this in PHP:

session_start();
setcookie('PHPSESSID', '', time()-3600); 
setcookie('PHPSESSID', '', time()-3600, '/'); 
session_unset();
session_destroy();

But nothing seems to get rid of the cookie.

I'm aware I can delete the cookies manually through the browser, but a whole bunch of users have fried sessions right now, and I need a way to do it automatically.

mpen
  • 272,448
  • 266
  • 850
  • 1,236
  • What you have if var_dump($_COOKIE)? – sergio Feb 12 '14 at 05:26
  • `var_dump($_COOKIE)` will only output the `PHPSESSID` once because it's a key-value dict. But it's definitely in there twice, because it prevents users from logging in. It can also be seen via `$_SERVER['HTTP_COOKIE']`. – mpen Feb 12 '14 at 05:28
  • So far the only solution I've found is to ask the user to close their browser (will clear session-length cookies) or press Ctrl+Shift+Del and delete them manually. – mpen Feb 12 '14 at 06:14

1 Answers1

0

When you delete a cookie you must specify cookie params exactly like when it were set. You can use session_get_cookie_params function to get current session cookie's params

$params = session_get_cookie_params();
setcookie(
    session_name(), '', time() - 86400, 
    $params['path'], 
    $params['domain'],
    $params['secure'],
    $params['httponly']
);

session_destroy();
Rezigned
  • 4,901
  • 1
  • 20
  • 18