0

I am trying to delete a cookie.

I am using setcookie("PHPSESSID", "", time() - 6400); which deletes the cookie just fine.

However it is not entirely deleted. When looking at firebug, under "Response Headers" the cookie is being deleted. However under "Request Headers" the cookie is not deleted (and this affects the code behavior).

Ho do I delete (or modify, or access) this other cookie as well?

Thanks!

Lucy Weatherford
  • 5,452
  • 16
  • 50
  • 76
  • 4
    What is your ultimate goal? php has `session_destroy()` – Mikhail Feb 22 '12 at 19:33
  • Are you talking about request headers of the request you delete it on. Or the next request. The cookie should only be deleted from the request headers on the next request, not the current one. – Paul Feb 22 '12 at 19:33
  • 3
    Does the page which is calling `setcookie()` to delete `PHPSESSID` also happen to call `session_start()` at the top? If so, the cookie will be reset when the page reloads. – Michael Berkowski Feb 22 '12 at 19:34
  • Mikhail is right, didn't notice the name of the cookie. Use built in session functions to deal with the session id cookie. – Paul Feb 22 '12 at 19:35
  • 1
    how does it affect code behavior exactly? a cookie doesn't really delete but rather can be set to expire. expiring the cookie shouldn't take affect until client side. are you saying that you are able to access the cookie client side, or on subsequent requests to the server? are you starting a session in the same request that you are deleting the cookie? – dqhendricks Feb 22 '12 at 19:36
  • Try destroying the session with a `session_destroy()`as well, that way, if the client passes the `PHPSESSID` again, it won't matter, because the corresponding session will not exist anymore. – ralfe Feb 22 '12 at 19:40
  • @PaulP.R.O. how do I make it so that the cookie is deleted on this one? do it in previous page? I am unable to alter the request headers cookie, which is what i've been trying to do. i can see in firebug that it is still there no matter what i do... – Lucy Weatherford Feb 23 '12 at 20:44
  • @Michael and if it doesn't? how can I do it? should I use this delete cookie (by setting it to expire in the past) and then redirect to another ajax page? how should I go about it? I was not successful when I tried, your help is appreciated – Lucy Weatherford Feb 23 '12 at 20:46
  • @dqhendricks yes, I can see the cookie details in firebug – Lucy Weatherford Feb 23 '12 at 20:47
  • 1
    @LucyWeatherford It doesn't make sense to remove the Cookie in the request headers. Once your PHP is running the Request headers are meaningless. They've already been sent to your server. – Paul Feb 23 '12 at 21:31
  • @PaulP.R.O. well I don't want them to be sent, how do I change that? – Lucy Weatherford Feb 23 '12 at 21:38
  • 1
    It seems like this question is misunderstood. We have all explained the way to delete cookies. I would either think that Firebug is wrong, or this can't be expired/deleted. – CoffeeRain Feb 23 '12 at 21:46

5 Answers5

3

I had such problem for my logout code, after hard work and researches I myself finally figured it out and used javascript to solve the problem.

You can easily do that in client-side using script below, you might need to change value of path and host:

document.cookie = "PHPSESSID=; expires=Thu, 01 Jan 1970 00:00:00   UTC;path=/;host=localhost";
wmk
  • 4,598
  • 1
  • 20
  • 37
Mahdi Younesi
  • 6,889
  • 2
  • 20
  • 51
  • This also solved my problem that I wanted to use data stored in cookie, and then unset the cookie in one page-load. Your Javascript solution finally solved my problem. (Cookie persisted until next page load, making the page parse the cookie twice.) – Eda190 Sep 30 '17 at 15:19
2

using setcookie("PHPSESSID", "", time() - 6400); expires the cookie like 2 hours ago, try using setcookie("PHPSESSID", "", 1); to expire it at epoch January 1st, 1970.

if that doesn't work you can try adding in the path like this setcookie("PHPSESSID","",time()-6400,"/");

You can try this example from http://www.php.net/manual/en/function.setcookie.php#73484 to remove all cookies, but I'm since this seems to be some sort of supercookie who knows..

// unset cookies
if (isset($_SERVER['HTTP_COOKIE'])) {
    $cookies = explode(';', $_SERVER['HTTP_COOKIE']);
    foreach($cookies as $cookie) {
        $parts = explode('=', $cookie);
        $name = trim($parts[0]);
        setcookie($name, '', time()-1000);
        setcookie($name, '', time()-1000, '/');
    }
}
JKirchartz
  • 17,612
  • 7
  • 60
  • 88
  • Isn't it the same? I thought that setting a cookie back in time would destroy it, whatever the timespan is – Damien Pirsy Feb 22 '12 at 19:37
  • Both options don't work. Again, all that happens is that the "Response Headers" cookie is deleted, but the "Request Headers" cookie is unchanged. :( – Lucy Weatherford Feb 23 '12 at 18:57
1

You might want to unset the $_COOKIE variable too, by adding a 

unset($_COOKIE['PHPSESSID']);

in the next line. That however just affects the currently loaded page.

Big-Blue
  • 429
  • 9
  • 22
0

This code can solve this problem:

session_start(); // initialize session
session_destroy(); // destroy session
setcookie("PHPSESSID","",time()-3600,"/"); // delete session cookie
VCLHD
  • 21
  • 1
-1

See Example 1 here to delete and destroy a session:

http://php.net/manual/en/function.session-destroy.php

first unset the cookie, then destroy the session.

dqhendricks
  • 19,030
  • 11
  • 50
  • 83
  • nope. this does not work, the 'request headers' cookie is still unchanged – Lucy Weatherford Feb 23 '12 at 20:59
  • @Lucy Weatherford what what is the expiration time of the "request headers" cookie? to delete a cookie, you have to send the same named cookie from the server to the browser with an expired expiration date via a request header. the important thing is, can you access this cookie client side? does the client continue to send this cookie in the next request? if the answer is no, then your cookie is deleted. – dqhendricks Feb 23 '12 at 21:55
  • if you are following the directions above to the letter, and still have issues, then your problem lies elsewhere. you are most likely starting a new session after the deletion process, or you just misunderstand how cookies work all together. – dqhendricks Feb 23 '12 at 21:58
  • yes I am following it to the letter, the response header cookie is being deleted, the request header - not. The 'request headers' do not sho their expiration time in firebug. - which is where I can access this cookie in the client side (so yes to your other question then). It doesn't matter to me what happens in the NEXT request - I need it to be deleted here. how do I change it on this page. I know this is possible because I tried viewing the page in incognito mode, and everything worked just fine there, only when it is not incognito, the request header cookie is not deleted. – Lucy Weatherford Feb 23 '12 at 22:56
  • @LucyWeatherford so you saying after PHP blanks out and expires the cookie, destroys the session, and sends it's output to the client, the client is then still able to read the cookie via javascript? it sounds as if you may be starting a new session somewhere in your code after destroying the old one, which is in turn creating a new session id cookie. does the value of the cookie change to a new session id after you delete the session cookie and destroy the session? – dqhendricks Feb 24 '12 at 01:13
  • i dont know what the old one was, because it is being deleted. however I solved this through a workaround - by using a cronjob where the current session can't affect the session, and I send the information I need through the db... thankyou though! – Lucy Weatherford Feb 26 '12 at 00:28