I am running into some problems deleting a php session I have created during login on a website I am working on. First here is how I am attempting to destroy said session:
On the index.php page there is a logout button that is displayed if some php code detects that there is a session. It calls this Ajax get call:
function logout()
{
var UName = "<?php echo $_SESSION['Username']; ?>";
//alert(UName);
$.ajax(
{
url: "php/logout.php",
type: "get",
success: function(jsonstr)
{
onSuccess(jsonstr);
},
error: function(XMLHttpRequest, textStatus, errorThrown)
{
alert("Status: " + textStatus);
alert("Error: " + errorThrown);
}
});
}
This calls the logout.php file which has this code in it:
<?PHP
header('Content-Type: application/json');
include_once 'login_functions.php';
include_once 'logout_functions.php';
sec_session_start();
$returnedData = logout($_SESSION['Username']);
//echo $returnedData."\n";
if ($returnedData === "true")
{
if (isset($_COOKIE[session_name()]))
{
setcookie( session_name(), “”, time()-3600, “/” );
}
$_SESSION = array();
session_destroy();
$_SESSION = NULL;
$data = array("loggedout" => "true");
echo json_encode($data);
exit();
}
else
{
$data = array("loggedout" => array("false" => $returnedData));
echo json_encode($data);
}
?>
The call to logout($Username) is just calling a function that deletes some database stored values related to the user's session. If it returns true then the session deletion code is called and the user is alerted to the fact that they are being logged out upon return to the index.php file.
Just in case it is relevant, here is how I am creating the session with sec_start_session():
function sec_session_start()
{
$session_name = 'sec_session_id';
$secure = secure;
$httponly = true; //Keep Javascript from obtaining any cookie information
//echo "Function: start_sec_session \n"; //For debugging
//Force use of cookies
if (ini_set('session.use_only_cookies', 1) === FALSE)
{
}
$cookieParams = session_get_cookie_params();//Set session cookie paramaters
session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"],$secure,$httponly); //Set the parameters
session_name($session_name); //Change the session name
session_start(); //Start the session
session_regenerate_id(); //Recreates the session, deletes the old one, and generates a new encryption key
}
Now, here is the problem. Whenever I call the following snippet of code from an administration page the session_status() function is always returning a value of 2, session_active.
<?php else :?>
<div class="row">
<div class="col-xs-12">
<div class="panel panel-default">
<div class="panel-heading">
Protected Page! <?php echo session_status(); ?>
</div>
I have another way of detecting if there is a session for a user as I store some timestamps in my database for dealing with timeouts but this problem will probably cause some issues somewhere down the road and I want to also minimize the number of times I have to call into the database.
I have read all over the place that reloading a page once a session has been destroyed and the cookie deleted should vacate the session values but that does not seem to be happening here. In fact there are two page reloads. The first one is right after the user is alerted to being logged out:
else if (rD[0] === "loggedout")
{
if (rD[1] === "true")
{
alert("You have now been logged out. The page will now reload. Please come again!");
window.location.reload();
}
else
{
document.getElementById("errpanel").style.visibility = "visible";
document.getElementById("errmsg").textContent = rD[2];
}
}
The second reload, if it can be called a reload, happens when I go to the administration page as I have no direct link to it when someone who is listed as an administrator is not logged in (the link does not show on the index.php page anyway) and to get there I am just typing the url directly into the address bar. session_status() returns a 2 even after I have closed Waterfox and reopened.
