0

This could be the sequel of this question: PHP Sessions across sub domains

I have a successful multi-domain session simply using this:

session_set_cookie_params(0, '/', '.domain.com');
session_start();

The problem is when I try to logout from domain.com. I have tried everything for logout, even all this, as suggested in PHP session_destroy() manual:

// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!

if (ini_get("session.use_cookies")) {
  $params = session_get_cookie_params();
  setcookie(session_name(), '', time() - 42000,
    $params["path"], $params["domain"],
    $params["secure"], $params["httponly"]
  );
}

But it's not working. The session is still alive when I visit subdomain.domain.com.

How can i do it?

Thank you!

Community
  • 1
  • 1
FlamingMoe
  • 2,709
  • 5
  • 39
  • 64
  • 1
    Doesn't `session_destroy()` do the trick? – mhitza Jan 23 '11 at 01:17
  • Are you *setting* the cookie from the same domain name, the root domain name (like `example.com`, sans subdomain), or from the "www" subdomain? – coreyward Jan 23 '11 at 01:25
  • Use a flag in your session to denote validity and set `$_SESSION["valid"]=false;` – mario Jan 23 '11 at 01:26
  • What's in `$params`? Can you show a dump? – netcoder Jan 23 '11 at 01:29
  • 1) session_destroy does not work, since the session is destroyed with the "setcookie" command; 2) the session is firstly set in the "parent domain", in domain.com; 3) mario, I don't understand you; 4) in params appear "/" as path and ".domain.com" as domain, no clues there :P – FlamingMoe Jan 23 '11 at 01:41
  • 1) thats why you shouldnt use setcookie(), using session_destroy() totally removes the cookie, setcookie() leaves it but expires it. – xorinzor Nov 10 '11 at 12:14

1 Answers1

0

Did you see if the session is started before you try to destroy it? 

if (!isset($_SESSION)) session_start();
if (isset($_COOKIE['auth_token'])) {
remove_token($_COOKIE['auth_token']);
setcookie("auth_token", "", time()-3600, "/", ".domain.com");
}
session_destroy();

This is working code from my environment. Hope it helps.

sdolgy
  • 6,963
  • 3
  • 41
  • 61