3

I have a profile page in my website that welcomes the user with his/her name using session variable. After I unset this variable, the page can still access that name. I cannot properly erase the data.

I've tried to set it to null, session_unset and session_destroy

<?php @session_start(); ob_start(); ?>

//Some HTML code here

<?php
     if( isset($_SESSION["user"]) && $_SESSION["login"]) {
         echo '<div><p>welcome ' .$_SESSION["user"]. '!</p></div>';
         echo
              "<form action='' method='post'>
               <input type='submit' name='use_button' value='Log out' />
               </form>";
         if(isset($_POST['use_button'])) {
                $_SESSION["login"] = false;
                unset($_SESSION["user"]);
                session_unset();
                echo "logout successful."; 
                echo '<script>window.location.href = "same-page.php";</script>';
         } 
     }
     else
         echo 'no login data.';
     ?>

//Some HTML code here

<?php ob_end_flush(); ?>

I expected that after the redirect, the first if condition would not be satisfied and it gives the output 'no login data' but it still can access the session variables.

External php file:

<?php
session_start();
$_SESSION["user"] = '' ;
$_SESSION["login"] = false ;
echo '<script>window.location.href = "../profile.php";</script>';
?>
Yüce Kılıç
  • 59
  • 4
  • Given the code in your question I cannot explain why the session is not emptied. Are you sure that is all the code in that PHP script? Or, have you tried a script with only this code? – KIKO Software Jul 12 '19 at 08:28
  • Yes, the rest is HTML. – Yüce Kılıç Jul 12 '19 at 08:29
  • You could try [session_write_close()](https://www.php.net/manual/en/function.session-write-close.php) after `session_unset()`. Just in case the HTML part is very big. Also check the result of both functions, it should be `true`. – KIKO Software Jul 12 '19 at 08:33
  • session_write_close() did not work. Results of both are false. – Yüce Kılıç Jul 12 '19 at 08:41
  • Hmmm, the `false` result is not good. Did you use [session_start()](https://www.php.net/manual/en/function.session-start.php)? You can also check the status of the session with: [session_status()](https://www.php.net/manual/en/function.session-status.php) – KIKO Software Jul 12 '19 at 08:50
  • Let me update the question. – Yüce Kılıç Jul 12 '19 at 08:53
  • So the rest was not only HTML.... Anyway, even with this addition, I still don't know why this isn't working. The `session_unset()` clearly should not return `false`. – KIKO Software Jul 12 '19 at 08:57
  • 1
    _“SOLVED: […]”_ - please don’t put that into the question, write a self-answer instead. https://stackoverflow.com/help/self-answer – misorude Jul 12 '19 at 10:53
  • Hi @YüceKılıç, are you getting session username after logout or session destory?, – jvk Jul 12 '19 at 11:49
  • See this post on how to troubleshoot php session problems (https://stackoverflow.com/questions/17242346/php-session-lost-after-redirect?page=1&tab=oldest#tab-top) – Udo E. Jul 12 '19 at 12:21
  • SOLVED: I extracted the php scripts to an external php file and added `action` attribute to the button. This way, session variables were deleted successfully. – Yüce Kılıç Jul 13 '19 at 09:54

3 Answers3

1

I think you can do this by destroying the session by using session_destroy() Method.

session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.

You can more about it from session_destroy()

Hiren Patel
  • 1,071
  • 11
  • 34
0

here you are doing session destroy but you also need to do unset that particular variable from sessions array just like below before destroying session.

unset($_SESSION['user']);
Akshay Champavat
  • 57
  • 11
0

Put this line immediately after your redirect line

echo '<script>window.location.href = "same-page.php";</script>'; // redirect
exit; // close current php script after redirect
Udo E.
  • 2,665
  • 2
  • 21
  • 33