php session vars remian after regeneration between pages

Question

So, i ve been trying to regenerate session ids in my page, if someone logs in or logs out. I run this code:

public static function regenerateSession() {

    $_SESSION = array();

    session_regenerate_id( true );

    return true;

}

in a script called by ajax. i log the session vars in every step, and indeed, the session id changes and the $_SESSION array empties. i then, on the same page i load some new variables to the $_SESSION under the new session id, echo something and then the script ends. Upon success, the javascript getting the echo of this php script, redirects to another page, where i log the session vars as well. after session_start() on the new page, i get in my logs, that the session, has the indeed the new id after regeneration, the new variables i assigned after the regeneration, but also the session variables of the previous session with their previous values!

i checked my php.ini and my session.cookie_secure is commented out. i uncommented it, i changed it to 0, restarted apache and yet nothing new. Does anyone have any idea about what am i doing wrong?

update 1:

i tried this code as well:

public static function regenerateSession() {

    $_SESSION = array();

    setcookie(session_name(), '', time() - 42000);

    session_regenerate_id( true );

    return true;

}

but with the same effect...

update 2

i also tried:

public static function regenerateSession() {

    $_SESSION = array();

    session_unset();

    setcookie(session_name(), '', time() - 42000);

    session_regenerate_id( true );

    return true;

}

but still nothing

update 3

i also tried:

public static function regenerateSession() {

    setcookie(session_name(), '', time() - 42000);

    session_destroy();

    $_SESSION = array();

    session_start();

    session_regenerate_id( true );

    return true;

}

nothing. the old values are still kept along side the new ones

`session_regenerate_id` does exactly what the name suggests – it generates a new id for the session, nothing more. So _of course_ your previous session values are still there if you did not delete/remove them – that is what is _supposed_ to happen. The session id gets changed (to prevent attackers using a stolen one), but the session itself stays the same. If you want a completely _new_ session, then use `session_destroy`. — CBroe, Dec 22 '14 at 23:36
@CBroe, i thought that when you pass 'true' to session_regenerate_id, it 'deletes the old associated session file', that's why i didn't destroy the session. so what's the proper procedure to get a new session? empty session array > delete cookie > session destroy > session_regenerate_id > session start? — Klimid1689, Dec 22 '14 at 23:41
I don't think deleting the cookies portion of your code would be necessary, but currently I can't test it. Should just be `session_destroy>session_start` — Jhecht, Dec 22 '14 at 23:42
@Jhecht when do i regenerate the session id? between desrtoy and start or somewhere else? — Klimid1689, Dec 22 '14 at 23:44
@Klimid1689, I found [This Stack Overflow Question](http://stackoverflow.com/questions/22965067/when-and-why-i-should-use-session-regenerate-id), hopefully it helps you out because it goes into way better explanations than I can right here. — Jhecht, Dec 22 '14 at 23:48
Passing `true` deletes the session _file_ (instead of leaving that up to the garbage collector) – but it does not delete the session itself. — CBroe, Dec 22 '14 at 23:59
well my problem, is that the session gets deleted on the php script responding to the ajax call, and it has no elements in the $_SESSION. however when redirecting to another page, the $_SESSION contains both the new and the old variables — Klimid1689, Dec 23 '14 at 00:05
You mean you do this and THEN this and THEN that using ajax calls. Could it be that, due to asynchronuous ajax call, you open your session AT THE SAME TIME in different scripts in the session scope, serverside, bringing either php to do some kind of mix up serverside, or the browser clientside? See http://php.net/manual/fr/session.examples.basic.php, jpleveille at webgraphe dot com 's contribution (it's about a redirection, but could the same not happen with ajax calls?). Do you have the same problem if you call your scripts sequentially, with no ajax? — fpierrat, Dec 23 '14 at 00:24

score 0 · Answer 1 · edited May 23 '17 at 11:49

Taking a guess, the browser sends both sessions cookies and PHP just merges both found sessions together?

The best way would be to set the old session cookie to a zero lifetime such that the client deletes the cookie and does not send it again.

Destroy the session if needed, but you need to do all three things if you want to remove the session completely

Remove cookie setcookie(session_name(), '', time() - 42000);
Destroy session session_destroy();
Empty session vars $_SESSION = array();
Start a new session session_start();

Also take a look at this answer to a similar question: https://stackoverflow.com/a/758825/1234469

thank you @pgampe. i updated the code, according to update 3. i don't know if this exactly what you meant, but nothing new still :( — Klimid1689, Dec 22 '14 at 23:56

php session vars remian after regeneration between pages

1 Answers1