3

I am working on a 3rd party PHP server that does the following:

When a user logins in:

ini_set("session.name","APPSESSID");
session_start();

When a user logs out:

unset( $_SESSION['user'] );
unset( $user );
session_destroy();

The problem is that on logout, APPSESSID is not actually deleted at the client browser. It gets a different value on logout (It seems it becomes what is known as an anonymous cookie)

This is causing problems because I have an web sockets API that is checking if the UA sends the APPSESSID cookie in its connect request and this cookie is being sent by the client even after it logs out of the PHP app as the cookie doesn't really get deleted, just rewritten.

How do I ensure the cookie is actually deleted on logout ?

thanks

user1361529
  • 2,667
  • 29
  • 61
  • 1
    See the highest scoring answer here: http://stackoverflow.com/questions/2241769/php-how-to-destroy-the-session-cookie-correctly – Chris Lear Oct 05 '15 at 14:14
  • 2
    [RTFM](http://php.net/session_destroy): `does not unset any of the global variables associated with the session, or unset the session cookie`. If you want to destroy the appsessid cookie itself, you'll have to unset it with a `setcookie()` call. – Marc B Oct 05 '15 at 14:14
  • I've actually read the highest scoring answer pointed to by @ChrisLear and have read that I need to delete. Please see my response to Federioc's answer below. What am I missing? Thanks – user1361529 Oct 05 '15 at 14:31

1 Answers1

1

As the documentation say

If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.

if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}
Federkun
  • 36,084
  • 8
  • 78
  • 90
  • The problem is that even after deleting the cookie per the code above, it still remains in the browser (gets written with a different value). My logout code is here http://pastebin.com/y8B55RQS. Am I doing something wrong in the login code I pasted? – user1361529 Oct 05 '15 at 14:30
  • 1
    _gets written with a different value_ - Have you restarted the session? – Federkun Oct 05 '15 at 14:36
  • AHA! I think you are correct. The 3rd party PHP server seems to be doing a "ini_set('session.name', 'APPSESSID'); session_start()" in index.php and when you log out it loads index.php to get you back to login screen!!!!! I think this should be in the userLogin screen! – user1361529 Oct 05 '15 at 14:40