19

I'm trying to correctly log out of an admin user. Here is my function:

function logout()
{
    $_SESSION = array(); //destroy all of the session variables
    if (ini_get("session.use_cookies")) {
        $params = session_get_cookie_params();
        setcookie(session_name(), '', time() - 42000,
            $params["path"], $params["domain"],
            $params["secure"], $params["httponly"]
        );
    }
    session_destroy();
}

Basically, once I authenticate the password, I set the session as being valid (only 1 user total). Now, when the admin hits logout, I want to destroy the current session, and also destroy the cookie, so that they can't just go back to the admin page using the stored session cookie in the browser. but my code doesn't work. i hit logout, and i can just directly navigate back to the admin page. however, if i delete my cookies, the functionality is perfect. so what's wrong with the cookie deleting function here?

isherwood
  • 58,414
  • 16
  • 114
  • 157
Tony Stark
  • 24,588
  • 41
  • 96
  • 113

3 Answers3

12

If you really want to cover all bases try doing:

setcookie (session_id(), "", time() - 3600);
session_destroy();
session_write_close();

That should prevent further access to the session data for the rest of PHP execution. The browser may still show the cookie being set however the $_SESSION super will be blank

BenMorel
  • 34,448
  • 50
  • 182
  • 322
MANCHUCK
  • 2,424
  • 1
  • 16
  • 22
  • 22
    In my opinion you should write `session_name()` (that equals `PHPSESSID`) in first line. –  Nov 29 '13 at 12:58
7

Maybe your problem is not the cookie, but the browser showing a cached version of your admin page. Could that be? If it disappears when you hit F5, it's probably that. This can be sorted by setting the right cache-control headers.

Check out this SO question on the issue of how to set caching. The question is about exactly the other way round (forcing browsers to cache) but you'll figure out what to change to turn caching off.

Community
  • 1
  • 1
Pekka
  • 442,112
  • 142
  • 972
  • 1,088
  • ok, that makes sense, but why am i still able to access the admin page directly even after i've destroyed the session?? – Tony Stark Feb 11 '10 at 02:12
  • 2
    nevermind i think i figured it out - i didn't call session_start() on my logout page (the logout text links to a logout page which calls my above function) – Tony Stark Feb 11 '10 at 02:15
  • It would still be smart to remove the cookie, in order to increase cacheability of anonymous content with caches such as Varnish. If the browser keeps sending a cookie Varnish will not cache the response, even if you're generating the exact same response for every visitor. – Martijn Heemels Jun 30 '11 at 08:28
  • The OP's underlying concept is not flawed. He shows the textbook method of ending a login session as documented in the PHP manual. – Nilpo May 31 '16 at 07:30
  • @Nilpo indeed! Edited that bit out. – Pekka May 31 '16 at 07:49
4

Just a tip for others who are having issues expiring session cookies:

PHP - why can't I get rid of this session id cookie?

Always use session_get_cookie_params() as in the answer to the question in the link above.

Community
  • 1
  • 1
bearfriend
  • 10,322
  • 3
  • 22
  • 28