How to Destroy the Session Cookie Correctly with PHP

How to destroy the session cookie correctly with PHP?

Maybe your problem is not the cookie, but the browser showing a cached version of your admin page. Could that be? If it disappears when you hit F5, it's probably that. This can be sorted by setting the right cache-control headers.

Check out this SO question on the issue of how to set caching. The question is about exactly the other way round (forcing browsers to cache) but you'll figure out what to change to turn caching off.

Deleting session cookies with PHP

Here you go, you need to delete in a loop:

//when dealing with session always add session_start() on top
session_start();
//From PHP manual: Unset all of the session variables.
//No need to do in a loop for all $_SESSION[] keys
$_SESSION = array();

//For cookies you do similar, from PHP docs:
//http://php.net/manual/en/function.setcookie.php#73484

if (isset($_SERVER['HTTP_COOKIE'])) {
    $cookies = explode(';', $_SERVER['HTTP_COOKIE']);
    foreach($cookies as $cookie) {
        $parts = explode('=', $cookie);
        $name = trim($parts[0]);
        setcookie($name, '', time()-1000);
        setcookie($name, '', time()-1000, '/');
    }
}
session_destroy();

PS: from PHP manual:

Only use session_unset() for older deprecated code that does not use
$_SESSION. so don't use that. session_destroy() destroys all of the
data associated with the current session. It does not unset any of the
global variables associated with the session, or unset the session
cookie.

To be safe call session_​regenerate_​id() upon login, logout, and sensitive areas of the script.

How to delete a Session Cookie

You're correct in saying there is no way to do this in PHP, what you can do instead if you want to remove a cookie is to set the expiry to be at a time in the past:

// Set to 1 second in the past, this will invalidate the cookie.
setcookie("cookie_name", "", time() - 1, "/");

It is also a good idea to unset the cookie index within the $_COOKIE global since it can exist in there as the rest of the page is parsed.

unset($_COOKIE["cookie_name"])

Sessions and cookies, if I destroy a session will the cookie go away? (PHP)

here is the link in which you can find the answer of your question:

http://www.codeflask.com/2012/08/why-session-destroy-when-remove-my.html

And the actual answer (cited from the link) is:

Session is destroyed automatically when cookies removed the reason is whenever the session is created it also stores its id in a cookie so that's why session destroyed automatically.

Best way to completely destroy a session - even if the browser is not closed

According to the manual, there's more to do:

In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.

The manual link has a full working example on how to do that. Stolen from there:

<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();

// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}

// Finally, destroy the session.
session_destroy();
?>

Remove a cookie

You May Try this

if (isset($_COOKIE['remember_user'])) {
    unset($_COOKIE['remember_user']); 
    setcookie('remember_user', null, -1, '/'); 
    return true;
} else {
    return false;
}

---

Related Topics