Session is not being destroy in codeigniter

Question

I am trying to unset my current logged in user's session.It's working fine if i am doing normal login but when i use remember me settings using cookies it's not being destroy.

My code for set the session and cookie is

public function login() {
    if(isset($this->session->userdata['username']) || isset($_COOKIE['user_id'])){
         $this->load->model('User');

            $p_uid = $this->User->user_login($_COOKIE['user_id'], $_COOKIE['password']);

     redirect(base_url() . "dashboard");
    }else{



    $this->form_validation->set_rules('user_id', 'User ID', 'required');
    $this->form_validation->set_rules('password', 'Password', 'required');
    if ($this->form_validation->run() == FALSE) {
        $this->load->view('login/login');

    } else {

        $user_id = $this->input->post('user_id');
        $password = $this->input->post('password');
        $this->load->model('User');

            $p_uid = $this->User->user_login($user_id, $password);
            //var_dump($p_uid);
            if ($p_uid) {
                if(isset($_POST['remember_me'])){
                    setcookie("user_id",$user_id,time()+86400*30);
                    setcookie("password",$password,time()+86400*30);

                }


               redirect(base_url() . "dashboard/");
            } else {
                $data=array(
                "error"=>"Wrong Userid Or Password"
                );
                $this->load->view('login/login',$data);
            }

    }
    }


}

And My logout Function is:

public function logout(){

    $this->load->helper('cookie');
    delete_cookie("user_id");
    delete_cookie("password");

    $this->session->unset_userdata("username");
    $this->session->sess_destroy();

    redirect(base_url());
}

Where i am doing mistake. please help. Thanks

this is wrong $this->session->userdata['username'] you have to use like this $this->session->userdata('username') — Dinesh Kumar, Apr 15 '17 at 10:29

score 3 · Answer 1 · answered Apr 22 '17 at 07:31

First of all, your remember-me mechanism is seriously flawed. See Implementing Secure User Authentication in PHP Applications with Long-Term Persistence.

I don't understand how your login works. You are checking if username is set in session, then are using cookies to perform login. I guess you've made it work as the first part of || always fails since $this->session->userdata['username'] will never be set. The correct way to access username from session would be:

$_SESSION['username']
OR
$this->session->userdata('username')
OR
$this->session->username

Finally, make sure the cookies are actually being deleted by inspecting your requests in network tab. Codeigniter deletes cookies by setting a negative expiration time of around a day, see if this is the case in your version of Codeigniter. For best results, just set the cookie again with large negative expiration time, and instead of checking if cookie is set, check if cookie is !empty.

score 2 · Accepted Answer · edited May 23 '17 at 11:46

I've faced the same issue a while ago. I was trying all methods which were possible. But I failed. Finally I found the solution with ob_start and ob_clean . Logout should be like this:

class controllerName extends CI_Controller
{
    function __construct()
    {
        parent::__construct();
        ob_start();
        $this->load->library('Session');
        $this->load->helper('cookie');
    }

    public function logout()
    {
        $this->load->driver('cache');   
        $user_id = array(
            'name'   => 'user_id',
            'value'  => '',
            'expire' => '0',
            'domain' => '.localhost',
            'prefix' => ''
        );

        delete_cookie($user_id);               
        $this->session->sess_destroy();
        $this->cache->clean();

        ob_clean();
        redirect(base_url());            
    }

}

To prevent browser back button previous page load, you should do something like this

$sess = $this->session->userdata('username');
if(empty($sess))
{
    $this->session->set_flashdata('error', 'Session has Expired. Please login');
    redirect('loginController/method'); 
}
else
{
    # success. 
    # continue the normal code here 
}

FYI: This should be added in every function or being used by a constructor to do it.

NOTE : Don't add password in cookie. Read - php cookie injection vulnerability?

why does this work? i had a similar situation where 1/10 times CI wasn't actually logging the user out (note: im not using remember me or anything like that). adding these before and after destroying the session seemed to work. but why? — Alex, Sep 12 '17 at 04:11

score 1 · Answer 3 · answered Apr 22 '17 at 18:50

1

To unset single element from session array:

$this->session->unset_userdata('some_name');
You can pass an array of keys to unset multiple values:

$array_items = array('username' => '', 'email' => ''); $this->session->unset_userdata($array_items);

answered Apr 22 '17 at 18:50

abhijeetwebdev

366
1
4
14

score 1 · Answer 4 · answered Apr 24 '17 at 06:18

public function check_admin_login()
    {
        $admin_email_address=$this->input->post('admin_email_address',true);
        $admin_password=$this->input->post('admin_password',true);
        $this->load->model('admin_model','a_model');
       $result= $this->a_model->check_admin_login_info($admin_email_address,$admin_password);
//       echo '<pre>';
//       print_r($result);
//       exit();
       $sdata=array();

       if($result)
       {
           $sdata['full_name']=$result->admin_full_name;
           $sdata['admin_id']=$result->admin_id;
           $this->session->set_userdata($sdata);
           //$sdata[]
           redirect('super_admin');
       }
       else{
           $sdata['message']='Your User Id / Password Invalide !';
           $this->session->set_userdata($sdata);
           $this->load->view('admin/admin_login');
       }
    }


for login and for logout


  public function logout()
    {
        $this->session->unset_userdata('full_name');
        $this->session->unset_userdata('admin_id');
        $sdata=array();
        $sdata['message']='You are Successfully Logout !';
        $this->session->set_userdata($sdata);
        redirect('admin');



    }

score 1 · Answer 5 · answered Dec 20 '19 at 06:10

This will happen when login page in http or localhost then codeigniter create session for http or locahost. when we are trying get session in https://www.example.com or http://[::1]/ then the session will not added for these type of urls..

try to use one type of url pattern in website

score 0 · Answer 6 · answered Apr 24 '17 at 12:31

For delete cookie

delete_cookie('name', $domain, $path);

For delete/destroy sesstion

$this->session->sess_destroy();

To destroy a particular session

$this->session->unset_userdata('name');

For multiple items

$items = array('item-name1' => '', 'item-name2' => '');

$this->session->unset_userdata($items);

Session is not being destroy in codeigniter

6 Answers6

Linked