How to clear a session cookie

Question

I'm pretty confused about session management. I'm using PHP, and when the user clicks the log in button, I call session_start() as the first line in my script. The result of that is a cookie on the client called PHPSESSID with a unique value. That seems to work as I would expect.

Where I am confused is on the log out process. When the user clicks 'log out', I call session_unset(); and then session_destroy();. My expectation is that this should clear the cookie, but doesn't. Even when I close the tab in the browser, when I come back to the site via a new tab, that old cookie is still there, along with the old session id value. This means that the session id is being reused from one session to the next (and beyond). Even when I go through the log in process again, the session id remains unchanged. This can't be correct, right?

In a somewhat desperate attempt, I tried to use this function to clear the cookie itself, but it seems to accomplish nothing:

// destroy the cookies
var cookies = document.cookie.split(";");

for (var i = 0; i < cookies.length; i++) {
    var cookie = cookies[i];
    var eqPos = cookie.indexOf("=");
    var name = eqPos > -1 ? cookie.substr(0, eqPos) : cookie;
    document.cookie = name + "=;expires=Thu, 01 Jan 1970 00:00:00 GMT";
}

Am I just misunderstanding how this process works? Or am I doing something wrong (or both!). Thanks for any advice or references.

You have to start the session (`session_start`) in logout page also.. Did you do it ? — phpfresher, Mar 03 '15 at 04:41
cookie must be destroyed by setting cookie to a previous time. — arunrc, Mar 03 '15 at 04:42
@phpfresher - that was it. I didn't realize that I needed to do that. If you post as an answer, I'll accept it. Thanks! — AndroidDev, Mar 03 '15 at 04:43

score 1 · Answer 1 · edited May 23 '17 at 12:28

1

You also need to unset the session variables and kill the cookies:

$_SESSION = array();

if (isset($_COOKIE[session_name()])) { 
    $params = session_get_cookie_params();
    setcookie(session_name(), '', 1, $params['path'], $params['domain'],
             $params['secure'], isset($params['httponly']));
}

This question has been answered extensively here.

edited May 23 '17 at 12:28

Community

1
1

answered Mar 03 '15 at 04:43

phpPhil

906
1
9
28

That's a helpful post. Thank you! – AndroidDev Mar 03 '15 at 04:45

score 1 · Answer 2 · answered Mar 03 '15 at 04:48

it may Help you

session_start();
if (isset($_COOKIE['remember_user'])) {
unset($_COOKIE['Hello']);
unset($_COOKIE['HelloTest1']);
setcookie('Hello', null, -1, '/');
setcookie('HelloTest1', null, -1, '/');
return true;
} else {
return false;
}
session_destroy();
header('Location:');
exit;

score 0 · Accepted Answer · answered Mar 03 '15 at 04:48

0

You have to start the session (session_start) in logout page also.. Did you do it ?

answered Mar 03 '15 at 04:48

phpfresher

310
1
12

That was my immediate problem. Thank you! – AndroidDev Mar 03 '15 at 04:56
You are welcome :) Have a Great Day... – phpfresher Mar 03 '15 at 04:56

How to clear a session cookie

3 Answers3