23

I need to figure out how to unset this cookie. Everything I tried so far has failed.

This is how I am currently unsetting it and it doesn't seem to work.

setcookie("user_id", $user_id, time() - 7200);

This is how I set it:

setcookie("user_id", $user_id, time() + 7200);

I have this function called set_session_from_cookie() that checks if a cookie is set, and if it is set, it starts a new session using the cookie.

The problem is that when I use this on my page I am unable to logout. I assume this is because I am unable to unset the session.

The reason I have this function is if a user wants to be remembered after they end the session, they can restart the session by calling the cookie.

function set_session_from_cookie()
{
    if (isset($_SESSION['user_id'])) {
        echo '';
    } else {
        $_SESSION['user_id']=$_COOKIE['user_id'];
    }
}

Logout:

<?php
require'core.php';
session_destroy();

setcookie("user_id", "", time() - 7200);
header('Location:/social_learning/site_pages/starter-template.php');

I set my cookie with the following code:

if ($rememberme == "on") {
    $user_id = mysql_result($query_run, 0, 'id');
    setcookie("user_id", $user_id, time() + 7200);
    $_SESSION['user_id'] = $user_id;
    redirect('home_page.php');
} else {
    if ($rememberme == "") {
        echo 'ok';
        $user_id = mysql_result($query_run, 0, 'id');
        echo $user_id;
        $_SESSION['user_id'] = $user_id;
        redirect('home_page.php');
    }
}

How can I restart the session using the saved cookie without using the function I created? Since the function seems to be causing the user to no longer be able to logout.

smottt
  • 3,272
  • 11
  • 37
  • 44
arboles
  • 1,321
  • 4
  • 20
  • 39
  • Is your cookie supposed to be site-wide? – Ja͢ck May 10 '12 at 03:00
  • should it be? how can i tell? – arboles May 10 '12 at 03:01
  • 4
    Don't use relative times for unsetting cookies. That makes the unsetting depend on your user's clock being accurate. Use a time of `1`, which'll catch everyone but those with truly broken clocks who think it's 1970. – Marc B May 10 '12 at 03:01
  • how do i set it to a time of 1? – arboles May 10 '12 at 03:02
  • 2
    This is not secure. Cookies can be easily edited, and in this case someone could log in as any user by editing the cookie. You should use some sort of encryption for the cookie. – Paul May 10 '12 at 03:09
  • thanks, i know this is unsafe. i will add encryiption once it is working properly. – arboles May 10 '12 at 03:12

6 Answers6

36

Set the cookie's expiration date to a time in the past (like one second after epoch, for example).

setcookie("yourCookie", "yourValue", 1);

This will cause the cookie to expire.

1 is used instead of 0, because 0 sets the cookie to expire at the end of the session.

rybo111
  • 12,240
  • 4
  • 61
  • 70
FThompson
  • 28,352
  • 13
  • 60
  • 93
14

The solution to this problem was that the I needed to set the correct path to unset the cookie since I was unsetting it from a different file that I originally set it in.

I found out which path I needed to use for the unset by looking for the cookie inside my browser cookies, and once I found the cookie inside my browser, the path was listed near the cookie. So I then set the path to the cookie like so:

setcookie("user_id", $user_id, time() - 1, "/social_learning/site_pages");

The last parameter is the path. And it worked.

My original setcookie looks like this:

setcookie("user_id", $user_id, time() + 7200, "");
smottt
  • 3,272
  • 11
  • 37
  • 44
arboles
  • 1,321
  • 4
  • 20
  • 39
  • This is the answer. I like how a far more liked answer fails to take account that you did set it to a negative time and it didn't unset. This answer is more appropriate to the question. Thanks. – Stephen Duffy Jul 27 '20 at 14:33
6

There are few security concerns regarding you code, however to answer your question, to unset a cookie in php, all you need to do is to set expiration time to a time in the past:

setcookie("user_id", "", time()-10, "/");

"loginform.php" is not a valid domain, that might be the problem here.

mohamed elbou
  • 1,829
  • 1
  • 18
  • 21
5

Look at the php manual for information on setcookie

http://php.net/manual/en/function.setcookie.php

These notes should explain the process:

bool setcookie ( string $name [, string $value [, int $expire = 0 [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false ]]]]]] )

Cookies must be deleted with the same parameters as they were set with. If the value argument is an empty string, or FALSE, and all other arguments match a previous call to setcookie, then the cookie with the specified name will be deleted from the remote client. This is internally achieved by setting value to 'deleted' and expiration time to one year in past.

Because setting a cookie with a value of FALSE will try to delete the cookie, you should not use boolean values. Instead, use 0 for FALSE and 1 for TRUE.

Magento Guy
  • 2,493
  • 1
  • 16
  • 13
  • i am currently doing this, using the same parameters to delete, as i am to set. and it is not working. – arboles May 10 '12 at 03:37
4

use this code

  setcookie("CookieName", "", time()-(60*60*24), "/");

works everytime for me in every website

Vaibhav Gautam
  • 2,074
  • 17
  • 17
1

In php manual, you can delete a cookie by setting a expiration date is in the past:

setcookie("key","",time()-3600);

In some case, you should provide path and domain for arguments.

In fact, if you assign a cookie with a empty string, it'll also be unset:

setcookie("key","");
Yinian Chin
  • 98
  • 6