0

I have created a logout.php page to let the user sign out from the website and redirects them to the sign in page.

however what ever i do, the cookies are not getting deleted, so when the user gets redirected to the singin page the latter examines the cookies and then find it, therefore logs the user in.

Below is the code of logout.php:

<?php
unset($login);
if (isset($_COOKIE['xxx'])){
    setcookie('xxx', false, time() - 3600,"/");
}
if (isset($_COOKIE['yyy'])){
    setcookie('yyy', false, time() - 3600,"/");
}
    header("Location: singin.php");
    die();

?>

Please note that this php page is in subfolder protected by password and the html link redirects to a php file that require() the logout.php file.

halfer
  • 19,824
  • 17
  • 99
  • 186
Mostafa
  • 111
  • 2
  • 12
  • Try this: https://stackoverflow.com/questions/686155/remove-a-cookie Let us know if it helped – onno204 Jul 31 '17 at 18:52
  • 1
    `if (isset($_COOKIE['X'])){ setcookie('X'` - Do you know what that does? Think about it for a minute and tell yourself *out loud*, step by step. – Funk Forty Niner Jul 31 '17 at 19:10
  • *"How did you set the cookies in the first place?"* @PetervanderWal Oh, it's set alright. Look at their code again ;-) Edit: I see you deleted the comment I was responding to. – Funk Forty Niner Jul 31 '17 at 19:12
  • 1
    @Fred-ii- I had to read your comment twice before I saw the problem, but of course you're abslolutely right ;) – Peter van der Wal Jul 31 '17 at 19:15
  • @PetervanderWal ;-) – Funk Forty Niner Jul 31 '17 at 19:16
  • @PetervanderWal Thing is though Peter, you wrote something else in your (deleted) comment that made sense, being domain-related. If you remember what you wrote, you should add that as (another) comment. – Funk Forty Niner Jul 31 '17 at 19:19
  • Although this isn't your current problem (at least not your main probem, @Fred-ii- is nudging you in the right direction): You should make sure that you delete your cookie with the same parameters for `$path`, `$domain` and `$secure` as you set it in the first place. For example if you set a cookie with `$domain = '.example.com'` (i.e. example.com itself and all subdomains under it), you can't delete it with `$domain = 'www.example.com'` or leaving the `$domain`-parameter out. – Peter van der Wal Jul 31 '17 at 19:33
  • I have set the cookies as follows: 'setcookie('xxx' , value, 3600*24, "/")' – Mostafa Jul 31 '17 at 20:16
  • @PetervanderWal the code now is as the following: – Mostafa Jul 31 '17 at 20:18
  • and still doesn't work – Mostafa Jul 31 '17 at 20:19
  • is it possible that this problem related to session_cache_limiter for some reason?, I'm trying to think out of the box, because i can see the cookie in the firefox alive, on more thing, sometimes it works for one time, when I login to the account again it stucks and the cookie is never been deleted, last thing, If i delete the cookie manually from Firefox nothing creates it again in the website and the user remain logged out. – Mostafa Jul 31 '17 at 20:28
  • `setcookie('xxx', $value, 3600*24, "/")` WON'T set a cookie since the timestamp `3600*24` would be somewhere Jan 2nd 1970. So if you had a cookie, you did create it another way. Make it `setcookie('xxx', $value, time() + 3600*24, "/")`. Then (at least in my environment) `setcookie('xxx', null, -1, "/")` WILL delete that same cookie. – Peter van der Wal Aug 01 '17 at 09:19

2 Answers2

0

use php unset() to delete your cookie as, you can get the complete details here delete the cookie

if (isset($_COOKIE['xxx'])){
    unset($_COOKIE['xxx']);
}
if (isset($_COOKIE['yyy'])){
    unset($_COOKIE['yyy']);
}

or, set value as null and a negative time for your cookie as 

setcookie('xxx', null, -1, '/');
setcookie('yyy', null, -1, '/');

or, set value as empty and a past time for your cookie as 

setcookie("xxx", "", time()-3600);
setcookie("yyy", "", time()-3600);
RAUSHAN KUMAR
  • 5,846
  • 4
  • 34
  • 70
0

I have found finally the reason behind the issue. it's because I have put session_cache_limiter('public'); in my code, so which I presume prevents the client to set the cookie to an expiry date.

I have done that because I don't want the client to ask the user each time they hit back to resubmit the form.

It seems that it's not the correct practice, I'll post another question for that.

Thanks all for the help.

Mostafa
  • 111
  • 2
  • 12