0

I was asked about this. Once I logout of the browser the fields that remain like username etc. I believe this is merely the browser retaining that data.

When I print session_get_cookie_params (after destroying the session) I get:

Array ( [lifetime] => 0 [path] => / [domain] => [secure] => [httponly] => )

Below is the recommended way to do it, found on the php.net site. This was not job interview. I am working on legacy code and added a logout feature. This code below appears to do both kill session and expire cookies. When I remove the cookie expiration part, the script fails to log the user out, a redirect to the home page merely refreshes the page. User still has access.

<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
$_SESSION = array();

if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}
// Finally, destroy the session.
session_destroy();
Martin
  • 22,212
  • 11
  • 70
  • 132
Rogelio
  • 77
  • 1
  • 9
  • 1
    The session and cookies are different things. The session is managed by the server. The cookies are provided by the client. – Jeremy Holovacs Sep 09 '16 at 17:34
  • You need to ensure you're actually deleting the session file on the server side, rather than simply the cookie on the client side . – Martin Sep 09 '16 at 17:35
  • It's possible but completely useless to do such a thing. The question that pops to mind is - where you asked this on a job interview or? – N.B. Sep 09 '16 at 17:38
  • It wasnt an interview question. I thought it pointless too, but there are ways to completely avoid using cookies in php and I always thought it was best practice to use sessions only. Although some .net guy I talked with laughed when I said we use sessions.. it sounded like he was making out the practice to be out dated. Anyway, thanks for your responses. I guess ill ask how I am supposed to do this. Martin: Does the above code, session_destroy() not delete the file? or just destroy from mem. – Rogelio Sep 09 '16 at 22:02
  • just curious - how do you have sessions without cookies? I really don't understand. i.e. how does the server know how to link user state information to the current html transaction without a cookie? – Ryan Vincent Sep 09 '16 at 22:04
  • Couldn't you just store it in the db and check $_SERVER values on new pages?. – Rogelio Sep 09 '16 at 22:26
  • So... why would you avoid cookies? How do you plan to persist something on client's computer? Without saving *something* on the client's side, you can't tell who they are. The other way is to append session id to every request via query string. The `.net` guy was.. they usually have no clue how protocols work, especially HTTP (kudos to the ones who do, but that's what you get when you create point'n click "programmers"). I mean, I see no reason why you'd avoid the mechanism created for us for state persistence in a stateless protocol.. – N.B. Sep 09 '16 at 23:02
  • Also, what *for* would you check `$_SERVER`? What kind of info would that superglobal contain which would let you identify a user? The **only** thing that you can send the user and that the user can send back automatically is **cookie**. Sure, you can use workarounds based on JavaScript and save stuff in IndexedDB, LocalStorage but your app becomes JS dependent. I think you don't really get this whole gist with cookies / sessions, it might be ok to ask a question related to that only so you patch up the holes in your knowledge (no hard feelings). – N.B. Sep 09 '16 at 23:06
  • Possible duplicate of [Best way to completely destroy a session - even if the browser is not closed](http://stackoverflow.com/questions/3948230/best-way-to-completely-destroy-a-session-even-if-the-browser-is-not-closed) – Martin Sep 11 '16 at 10:56
  • I have marked this as a duplicate which has an answer showing a (slightly) better way of removing session data. – Martin Sep 11 '16 at 10:57

0 Answers0