30

UPDATE ON THE PROBLEM:

  • On some browsers, we have two PHPSESSIDs.
  • One PHPSESSID is not set by me anywhere in my script
  • It has HOST (instead of DOMAIN for the PHPSESSID I set) as www.mywebsite.com
  • I have tried deleting it using setcookie: setcookie ("PHPSESSID", $_COOKIE['PHPSESSID'], time() - 864000, '/', 'www.mywebsite.com'); but this fails.
  • An attempt to delete cookie using: setcookie ("PHPSESSID", $_COOKIE['PHPSESSID'], time() - 864000, '/'); results in the PHPSESSID I set being deleted.
  • I have tried using session_name to rename the SESSION I set. This works but crashed my server severally after some minutes.
  • I am out of options.

I am working with PHP sessions on my website.

The session path was /folder, later on I changed to / to fit the new purpose.

Now, old users cant login.

It seems they now have two PHPSESSIDs stored on their browsers - one with path /folder and the other /.

What can I do to ensure that old users can login while ensuring that the session is sitewide with "/".

MORE INFORMATION

When I said two phpsessionid, refer to the image

the two PHPSESSID

  1. The login works if I use

A. session_set_cookie_params(864000, '/cv', '.website.com', 0, 1);

but fails to work if I use:

B. session_set_cookie_params(864000, '/', '.website.com', 0, 1);

  • If I use Version 2A above, the session will only be available in /cv and not be available in other website folders eg. /folder.

UPDATE ON DELETING PHPSESSID WITH JAVASCRIPT

  • When I run alert(document.cookie), it shows all cookies except the PHPSESSID
  • Hence all attempts to delete the PHPSESSID cookie fails, whereas other cookies can be deleted.

UPDATE ON DELETING PHPSESSID WITH PHP

  • When I var_dump($_COOKIE['PHPSESSID']); what is returned is the value of the PHPSESSID with path /cv
  • An attempt to delete with setcookie ("PHPSESSID", "", time() - 3600); fails.
Jens A. Koch
  • 39,862
  • 13
  • 113
  • 141
Ogugua Belonwu
  • 2,111
  • 6
  • 28
  • 45
  • I would just simply log everyone out and assign the new session for the users since the damage has already been done. – Andrew Nov 04 '15 at 09:26
  • How will this delete one of the SESSIONIDs already stored on the client's computer? It seems it continually picks the first and the old SESSIONID to work with. – Ogugua Belonwu Nov 04 '15 at 09:29
  • since everyone will start fresh so assume they will automatically pick the newer session, just my thought – Andrew Nov 04 '15 at 09:36
  • 1
    You could go through the process of adding a few lines of code to manually saving the session data in a new custom folder (using `session.savepath`, etc), so the standard session data in `/cv` can be manually saved in `/` with an include for instance, but this is a big hassle for something that you should just let people re-login, as their sessions will expire when their browser closes anyway.... they're not the same as cookies – Martin Nov 04 '15 at 12:38
  • I have set the session location, but this does not solve it. The sessions persists even after the browser has been closed. – Ogugua Belonwu Nov 04 '15 at 13:29
  • 1
    AFAIK, PHPSESSID is just a cookie whose sole purpose is to identify the current session. When you start the session, PHP automatically sends this cookie to the client and uses its value to identify which `$_SESSION` data belong to this client. Since you now configured your PHP to use a cookie with `/` path, I believe the cookie with `/cv` path should get deliberately ignored. Even if not, you can simply unset it if it's present. It should then never again be created. – ROAL Nov 06 '15 at 12:30
  • 1
    Does `$_SESSION = array(); session_destroy(); ` not affect it? – Steve Dec 06 '15 at 19:46
  • Can you pls explain how your login works and how it relates to the session_id ? – Tᴀʀᴇǫ Mᴀʜᴍᴏᴏᴅ Dec 10 '15 at 12:09
  • @OguguaBelonwu Pls check my answer and let me know if you are successful to delete the SESSIONID. I was successful while testing. – Tᴀʀᴇǫ Mᴀʜᴍᴏᴏᴅ Dec 10 '15 at 12:25
  • I use PHP's `start_session();` in my website which stores a cookie called PHPSESSID with the value being some hxadecimal number. This cookie is readable by JS (my self-made cookie editor can show it) but any attempt to change it just creates a second one with the same name which has the changes, so when trying to expire it it there's effectively no change. Is that the same problem you have? Also, I can't find PHPSESSID in cookies.sqlite in my Firefox profile, so I have literally no clue how to get rid of it. – Lampe2020 Jul 02 '23 at 19:11

13 Answers13

16

I think you are mixing up things or you should go into more detail about your setup/problem.

PHP's session path is the location where session data is stored on your server, not the client. See the documentation: https://secure.php.net/manual/en/session.configuration.php#ini.session.save-path

You can move these files and replace/keep in case of collisions how you see fit. This is pretty much only restricted by read/write-permissions you have when accessing/moving stuff and your webserver-user (e.g. apache or nginx) or php-user has for reading/writing them from/to the new location.

If by "PHPSESSID in their browser" you mean the session id is part of your urls, that is a different PHP-setting, that should be disabled anyway, see notice in the documentation: https://secure.php.net/manual/en/session.configuration.php#ini.session.use-trans-sid

edit based on your updated question:

There already is a nice JS-based solution for expiring the old cookie. I would go with that. if you can't just do that, you could do a redirect to /cv have a php-script there that reads the cookie and stores the data somewhere (a database for example based on the user_id) and expire the cookie. Then you can redirect to the old page, look for the "/"-cookie and restore the data. It's a very ugly hack, but I don't think you can get the cookie for each path in PHP, since it's server side and based on the session id provided by the client (but I might be wrong).

dbrumann
  • 16,803
  • 2
  • 42
  • 58
  • 1
    Session path as stated in question is not about session physical location, but about session cookie ("Path on the domain where the cookie will work. Use a single slash ('/') for all paths on the domain."). see http://php.net/manual/en/function.session-set-cookie-params.php – Adam Fischer Nov 06 '15 at 12:48
6

I would simply expire the cookie from /folder. This should leave you with only one session cookie for /

setcookie('PHPSESSID', '', time() - 86400, '/folder/');
Machavity
  • 30,841
  • 27
  • 92
  • 100
6

You can change the cookie name for your new session using session_name() before session_start() and let the problem solve itself in a few days.

session_name("SESSION_ID");
session_start();
Adam
  • 17,838
  • 32
  • 54
clemens321
  • 2,103
  • 12
  • 18
  • Read guidelines and then answer. – Prafulla Kumar Sahu Nov 11 '15 at 15:27
  • You are having more than 50 reputation why you are unable to comment ?? – Prafulla Kumar Sahu Nov 12 '15 at 03:07
  • 1
    Your answer is very good. I think the fact that you are presenting it as a question is the problem @PrafullaKumarSahu is evocating. You should edit your answer in order to make it an affirmative answer (not a question) and give an example – Adam Nov 12 '15 at 08:21
  • This is a very good solution but it crashes my server. It seems that some browsers set a PHPSESSID immediately the website is opened and my session.auto_start is 0. This PHPSESSID has "HOST" as "www.website.com". This now conflicts with the PHPSESSID I set. – Ogugua Belonwu Dec 03 '15 at 16:43
  • The goal of this method is to use another name for the session. If you named it "SESSION_ID" instead of "PHPSESSID", you can't have any conflict including any previously opened session with another session name. – Adam Dec 04 '15 at 08:48
  • @Adam This solution solves the problem but crashes my server. – Ogugua Belonwu Dec 10 '15 at 17:27
  • @OguguaBelonwu How crashes? Server meaning your php process, your webserver or the operating system? Is there any log? – clemens321 Dec 10 '15 at 17:57
4

You have to remove a cookie on the client side. This is possible with javascript.

Try this javascript on your site:

<script type="text/javascript">
     document.cookie = "PHPSESSID=;Path=/cv;expires=Thu, 01 Jan 1970 00:00:01 GMT;";
</script>

An example:

For this example is use the site https://developer.mozilla.org/en-US/.
If i load this site on the cookies there are the following entries enter image description here Now I want to remove the cookie with name dwf_section_edit. To delete this cookie I set the expire date to the past. After I execute 

document.cookie = "dwf_section_edit=;Path=/;expires=Thu, 01 Jan 1970 00:00:01 GMT;";

on the console, the cookie is away as you can see on the following image (i used the little refresh button on bottom left of the table because it is only temporary on this example)

enter image description here

On the next reload i get the cookie again in this example, because Mozilla give it back to me. On your site you don't have to create the old cookie again, and all is fine.

Sebastian Brosch
  • 42,106
  • 15
  • 72
  • 87
  • When I run alert(document.cookie), the PHPSESSID cookie is not listed. Since the PHPSESSID is not listed, the delete cookie does not delete the PHPSESSID cookie. Whereas, the PHPSESSID can still be seen in the console. – Ogugua Belonwu Nov 07 '15 at 07:15
  • If it is not listed it means it is not there :) – mow Dec 08 '15 at 00:29
2

I guess your script does not know, which session should be accessed upon session_start();

Try to specify correct path for session using

ini_set('session.cookie_path', '/');

or

session_start(['cookie_path' => '/']);

depending on your setup

If that does not help, i would suggest using session_regenerate_id() that will replace the current session id with a new one, and keep the current session information.

Adam Fischer
  • 1,075
  • 11
  • 23
1

The solution will be let users go to /folder path for the duration of session expire time. On this path make php script for copying ALL COOKIES from /folder to / path by using setcookie function (http://php.net/manual/ro/function.setcookie.php) 

foreach ($_COOKIE as $key => $value) {
    setcookie($key, $value, $expire, "/")
}
// redirect to "/" now. User will be able to login.

Additional explanation: cookies are tied to path and domain, its important (and by default its /, but it seems not in your case). So PHPSESSID from subpath (like /folder or /me) not accessible from parent. And they propagate from parent to child. So cookies from /me are the same as for / with there not assigned explicit.

vitalii
  • 443
  • 6
  • 10
0

If you send manually the header with new expiring date for desired path, the client should remove it.

session_start();
header("Set-Cookie:PHPSESSID=".session_id()."; expires=Sat, 07-Nov-1999 14:58:07 GMT; path=/cv/");

The first time, you have the old cookie path, but from the second page call only the cookie in path / will be stored and transmitted.

You can send this header when you know if the client is affected by this problem or having this for some month.

Luca Rainone
  • 16,138
  • 2
  • 38
  • 52
0

Yeah, you need to set the cookie time to a negative value so the browser can delete it, in adition we set the stored value to empty string which also helps to delete the same cookie...

This (a the top of your page) would do, just be sure to session_start() first:

setcookie('PHPSESSID', '', -3600, '/cv');

This works flawlessly on all my domains, I had this problem once.

Solrac
  • 924
  • 8
  • 23
0

You can remove it by setting it with a previous time for it to expire:

setcookie('phpsessid','value',time()-1);
Waqas Shahid
  • 1,051
  • 1
  • 7
  • 22
0

Just provide the 4th argument when calling setcookie function :

setcookie ("PHPSESSID", "", time() - 3600, '/');

Explanation

The 4th argument of the setcookie() function is $path of the session to be set. And for this, "The default value is the current directory that the cookie is being set in.". (See : http://php.net/manual/en/function.setcookie.php.) So if you are calling this function from a file locating in folder "/folder", it will try to delete a cookie from that folder only. By setting the $path to "/" we are telling the function to delete the session_id from the root directory.

I have tested it and it deleted the PHPSESSID from the cookie successfully.

Tᴀʀᴇǫ Mᴀʜᴍᴏᴏᴅ
  • 4,151
  • 1
  • 19
  • 54
0

It is mentioned here, though Use of session_register() is deprecated and Use of $_SESSION is preferred : -

If session_start() was not called before this function is called, an implicit call to session_start() with no parameters will be made. $_SESSION does not mimic this behavior and requires session_start() before use.

Then, using $_SESSION , append a JSON file with Auth=True, with TimeOut=20 minutes.
Whenever, user logs out or after timeout, set Auth=False. Then, read that JSON file using PHP and

Then, if Auth=False, create JS using PHP that OnLoad event, document.cookie = 'PHPSESSID' + '=;expires=Thu, 01 Jan 1970 00:00:01 GMT;';

SUKUMAR S
  • 187
  • 2
  • 8
-1

Lets go back to basics - Here is something that I believe you should try: Run your site. Keep a note of PHPSESSID. then close the browser completely, open the browser again, and then run your site. Check the PHPSESSID and see if it is the same.

If it is not same then it is not a cookie but a Session ID specific for the browser session. Second, if the PHPSESSID is the same as set the first time then it is a cookie and you 'will' be able to delete any key=>value pair set to the cookie resources. May be you are referencing something wrong in the JS or PHP code.

Please try this and revert with results. It will give a lot more clarity. Sessions, LocalStorage, IndexDB, Cookies all are different things and referenced differently.

Gary
  • 2,293
  • 2
  • 25
  • 47
  • Thanks Gary. Normally, I do not experience the problem on my computer and as you directed, the PHPSESSID changes each time I close the browser and reopen on my computer. On some other computers and browsers it maintains two PHPSESSIDs instead . – Ogugua Belonwu Dec 08 '15 at 11:10
  • Technically, there cannot be two same key=>value pairs registered in a browser cookie resource area. I have seen these kinds of issues with JS variables in browser memory due to lazy garbage collection methods of browsers. But not in case of `cookies`, since garbage collection should not make a difference to cookies. Sessions are destroyed immediately when tab/browser closes. Garbage collection may also not impact Sessions since they are destroyed - not sure though. – Gary Dec 08 '15 at 11:35
  • `Sessions are destroyed when every tab/browser is destroyed where as cookies are not`. There is an option clear cache/cookies when browser closes. Remove that, and then 1) close the tab and see results and 2) close the browser and see results. Check whether it is a session or cookie. The point that it does not show PHPSESSIDs in js cookie lists hints toward setting of sessionid and not cookie. – Gary Dec 08 '15 at 11:36
  • `If it is a cookie, you will be able to manipulate it` as above from js or php setting the cookie to null (or change the expiry date to previous date). – Gary Dec 08 '15 at 11:43
  • Dont forget your PHPSESSID is being set at `'/cv'` and `'/'` so they are not the same cookies (if they are not cookies reflecting sessions and copying the id from sessionid). – Gary Dec 08 '15 at 11:48
  • Can you also put the complete code of setting and removing the sessions/cookies please? That should be the problem. Do also try the session_regenerate_id since your cookies are not being deleted (and seems they are storing your sesionid in cookies) after session_destroy and see if it works. Was researching when I came across these. The second one might help, http://stackoverflow.com/questions/15567880/php-session-set-cookie-params-issue and deleting a cookie http://stackoverflow.com/questions/2241769/php-how-to-destroy-the-session-cookie-correctly – Gary Dec 10 '15 at 11:28
-2

You cannot Delete Cookie of Cleint Browser's

First thing you have to understand that you cannot delete the COOKIES on client systems by any means. When you invalid then browser doesn't delete it, but makes the cookie unvalid. The cookie is still there on the clients system. But the browser just ignores it. In order to delete it the client must do it themselves.

To invalid all sessions you can use

session_start(); // initialize session
session_destroy(); // destroy session
setcookie("PHPSESSID","",time()-3600,"/"); // delete session cookie

or javascript code:

document.cookie = "PHPSESSID=; expires=Thu, 01 Jan 1970 00:00:00
        UTC;path=/;host=localhost";

In every case you can't delete cookie set by browser's. As PHP and javascript can only issue commands only to invalid the already set cookies present.

Only Way to Delete Cookie

  • By the client himself.

  • Direction to flush cookies and cache

  • Uninstall the browser and then Re-Install it.

Recommendations to Achieve Purpose

Create a new php script and insert it on the top of login.php and in this script you check whether there are two PHPSessionId and if there are two then destroy all of them and reload the page. Until you reload the last cookie used before any event would be in-session. You must reload the page or redirect use:

Removing two PHPSESSID

 count=0;

 foreach($_COOKIE as $key => $value){
    if ( $key == "PHPSESSID" ){
       count++;
    }
 }
 if (count>1){
    //Destory all cookies here
    foreach($_COOKIE as $key => $value){
          setcookie($key,"",time()-3600,"/");
    }

    //Reload/redirect the current page to dispose of all things
    header("Locations:" . $your_url);
    exit(0);
 }

Now there would be only I session of PHPSESSID in every case

Vineet1982
  • 7,730
  • 4
  • 32
  • 67