PHP Session Id in $_COOKIES superglobal stays the same after destroy

Question

Hy I am new to php and trying to destroy a session according to the php documentation here: http://php.net/manual/en/function.session-destroy.php so I am using this code:

<?php
session_start();

echo 'cokkies before delete session';
var_dump($_COOKIE);
var_dump($_SESSION);
echo '-------------- <br>';

$_SESSION = array();

if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}

session_destroy();
echo 'cokkies after delete session';
var_dump($_COOKIE);
var_dump($_SESSION);
?>

what I dont understand is, doesnt matter how many times I run this code the PHPSESSID property in the $_COOKIE superglobal is always exactly the same.

So is then the session id on the server destroyed at all and just the id in the cookie stays alive? And overall why does it work out like this. Thanks for the answers

Possible duplicate of [Why is PHP session\_destroy() not working?](https://stackoverflow.com/questions/6472123/why-is-php-session-destroy-not-working) — Jeff, Oct 31 '18 at 13:37

score 2 · Answer 1 · answered Oct 31 '18 at 14:50

Hy So I have found out why the setcookie() function didnt destroy the PHPSESSID cookie. the session_set_cookie_params() function needs to be set before starting the session and so later the setcookie() function will be able to expire the the PHPSESSID cookie.

this code works:

<?php
$lifetIme = 60 * 60 * 24 * 360; 
$path = '/'; 
$domain =  'yourdomain'; 
$secure = isset($_SERVER["HTTPS"]); 
$httponly = true;
session_set_cookie_params ($lifetIme, $path, $domain, $secure, $httponly);
session_start();

$expire = strtotime('-1 year');
setcookie('PHPSESSID', '', $expire, $path, $domain, $secure, $httponly);
session_destroy();
?>

it will create and then destroy the session completely and the next call to the server from the same browser wont know about the the prev session and its PHPSESSID cookie

If this is the answer to your question, consider [marking it as accepted](https://stackoverflow.com/help/self-answer) :) — Joe Sadoski, Nov 17 '22 at 18:55

score 1 · Answer 2 · answered Oct 31 '18 at 13:36

1

Just use session_regenerate_id() after destroying the session.
https://secure.php.net/manual/en/function.session-regenerate-id.php

Also destroying a sessions doesn't unset a cookie.

answered Oct 31 '18 at 13:36

Lithilion

1,097
2
11
26

Ifeanyi Amadi · Answer 3 · 2018-10-31T14:20:15.057

ok hi, just wanna leave a few things out. Ok it’s simple, session destroyed doesn’t unset whats been set on cookie. Like we all know, cookies are available until the validity elapses. And even if the session get regenerated it would still update the cookie. I’ll suggest you have it controlled else if you refresh that page a million times you would still have the same result sent as an output. It’s more like doing the same thing and expecting a better result. I could write you a snippet if you want. Hope this helps

=== My discovery ==

<?php

session_start();

define('NEWLINE', '<br><br>');

echo "cookie before delete session. <br>";
var_dump($_COOKIE);

echo NEWLINE;

echo "session Here <br>";
var_dump($_SESSION);

echo NEWLINE;


echo "------------------------<br>";

$_SESSION = array();

if (ini_get('session.use_cookies'))
{
    $params = session_get_cookie_params();

    echo "cookie already has PHPSESSID even before you set it here ..<br>";


    // The solution i could arrive with
    // without this PHPSESSID wouldn't give you a new id.
    session_regenerate_id();
}

// now destroy
session_destroy();

echo "Cookie here would not change. Just refresh the page and try commenting session_regenerate_id() to see the difference. <br>";
var_dump($_COOKIE);

echo "Session when destroyed. <br>";
var_dump($_SESSION);
?>

Hy, so the setcookie() function in my code should have expired the SESSID from the COOKIES superglobal so thatswhy I dont understand why is the same one still there... thanks — Deli Sandor, Oct 31 '18 at 14:00
Ok would love to help. Lemme put in my coding ability. I’ll update my comment with a code inclusively — Ifeanyi Amadi, Oct 31 '18 at 14:02

score 0 · Answer 4 · answered Oct 31 '18 at 13:35

See the documentation:

session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.

… even if it did unset the session cookie, the $_COOKIES superglobal includes all the cookies that the browser sent when it made the request. It would require time travel for session_destroy to prevent the browser from sending them in the request that is currently being processed.

what I dont understand is, doesnt matter how many times I run this code the PHPSESSID property in the $_COOKIE superglobal is always exactly the same.

If you the session ID sent by the browser doesn't match an existing session, when you call start_session, then it still uses the same session ID for the new session.

session_regenerate_id forces the generation of a new id, start_session does not.

Thanks for your answer. I still dont understand that my code have used the setcookie() function on the PHPSESSID cookie to expire that, but that is still alive after the browser got the header where that cookie shouldnt be inside. thanks for your answer — Deli Sandor, Oct 31 '18 at 13:57

PHP Session Id in $_COOKIES superglobal stays the same after destroy

4 Answers4