PHP session not renewing

Question

I have a logout script for my web app which is the following:

<?php
session_start();
require_once("config.php");
$logout_connect = mysql_connect($db_host, $db_user, $db_pass);
    if (!$logout_connect){
        die('Impossibile connettersi: ' . mysql_error());
    }else{
        mysql_select_db($db_name, $logout_connect);
        mysql_query("DELETE FROM valutazioni_recenti WHERE idutente = '".$_SESSION['userid']."' ");
        if(mysql_query("DELETE FROM sessions WHERE ssnid = '".$_SESSION['ssnid']."' AND userid = '".$_SESSION['userid']."'")){
            $_SESSION = array();
            $session_id = session_id();
            session_destroy();
            mysql_close($logout_connect);
            header("location: login.php?logout");
            exit();
        }

    }

?>

It makes me logout the user correctly, but, as I save session data in a DB on login and delete them on logout, I can see that if I login with a session id like "096c02aefbb34jd175bfa89d4ec1235" when I logout and login again it gives me the same sessionid to that specific user. Is it normal? Is there a way to change it? Do I just have to mix it (or m5d it) with the login time??

My logout scripts just include `session_start();` then `session_destory();` and lastly `header('Location: index.php');` and it works. — Daryl Gill, Mar 23 '13 at 11:24
If you want to regenerate new session id check this php function session_regenerate_id() — tuffkid, Mar 23 '13 at 11:27

score 1 · Answer 1 · edited May 23 '17 at 12:04

1

This is completely normal, don't worry about it. Some other people asked about the same thing in StackOverflow.

This is due the cookies stored in your browser, so to "fix it" you must either delete the cookie either regenerate the ID with PHP.

You have a better explanation in a different post:

why is php generating the same session ids everytime in test environment (WAMP)?

edited May 23 '17 at 12:04

Community

1
1

answered Mar 23 '13 at 11:25

xarlymg89

2,552
2
27
41

score 1 · Accepted Answer · answered Mar 23 '13 at 11:36

1

you are missing something in your logout code that is your cookie values stored in user's browser . PHP function session_destroy(); doesn't delete user cookies, you have to unset them manually by setting expiry time to back date or time.

setcookie ("TestCookie", "", time() - 3600);  //will set expiry time one hour back

so if you don't unset user's browser's cookie it will take same session id every time when you make new login.

answered Mar 23 '13 at 11:36

Prashant Shukla

329
1
2
17

Ok, tku! I never set a cookie on the login in the first place, I now did and checks it while on the webapp, then on logout i delete the cookie. Tku! – Mr.Web Mar 24 '13 at 20:01

Sergio Abreu · Answer 3 · 2022-06-29T12:21:52.620

Try this:

<?php

/*  CREDITS: Sergio Abreu
 *  dosergio@gmail.com
 */

// Session Configuration 

$minutes = 1 * 60; // One hour

$obsess = array();

if( $_SESSION ){
  foreach ( $_SESSION as $k=>$v){
    $obsess[$k] = $v;
  }
  session_destroy();
  session_set_cookie_params( $minutes * 60);
}

ini_set( "session.use_cookies", 1);
ini_set( "session.gc_probability", 1);
ini_set( "session.gc_divisor", 1);
ini_set( "session.cookie_lifetime", $minutes * 60);
ini_set( "session.gc_maxlifetime", $minutes * 60);


//Starts new Session
session_start();

// Restore data:

if( $obsess ){
  foreach ( $obsess as $k=>$v){
    $_SESSION[$k] = $v;
  }
}
?>

PHP session not renewing

3 Answers3