4

i've configured wamp in my system, and am doing the development cum testing in this local environment. i was working on the logout functionality, and happened to notice that the session ids being generated are same within the browser.

Eg - chrome always generates session id = abc, for all users even after logging out and logging in; IE always generates session id = xyz, for all users.

Is this an issue with wamp/ my test environment?

please find below my logout php script -

<?php
session_start();
$sessionid = session_id();
echo $sessionid;
session_unset(); 
session_destroy(); 
?>
arun nair
  • 3,643
  • 14
  • 41
  • 49

7 Answers7

7

You probably still have the cookie with the old session ID in it as neither session_unset nor session_destroy deletes that cookie:

In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.

So use setcookie to invalidate the session ID cookie after logout:

if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}

Another recommendation is to regenerate the session ID after successful authentication using session_regenerate_id(true).

Gumbo
  • 643,351
  • 109
  • 780
  • 844
  • yes, cookies were the problem. I thought sessions would by default use the server file mechanism, and not the cookie, so i wasnt wary of clearing the cookies. thanks for the code too.. works like a charm! – arun nair May 20 '11 at 18:54
  • @arun: PHP’s default session storage are files. The cookie is only used to transfer the session ID that is used to identify the session data in the storage. – Gumbo May 20 '11 at 18:56
4

Will work. Please try this

session_start(); 
session_regenerate_id(TRUE); 
session_destroy();
cem
  • 3,311
  • 1
  • 18
  • 23
Praveen V
  • 41
  • 5
2

You must regenerate the session id using function session_regenerate_id(). Without that, the session ID would be the same between page refreshes.

Tomasz Kowalczyk
  • 10,472
  • 6
  • 52
  • 68
2

session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.

In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.

Taken from http://php.net/manual/en/function.session-destroy.php

Community
  • 1
  • 1
Jasoon
  • 432
  • 2
  • 9
  • Where am i going wrong? I've unset all session variables by using the logout script, and it also destroys the session. So using the same browser, if a different login is made, why is it still using the same session id as the previous user? I refered php.net, which says - "The session_unset() function frees all session variables currently registered." – arun nair May 20 '11 at 18:42
  • Throw a session_regenerate_id() in there before the session_destroy() and you should get a new id? – Jasoon May 20 '11 at 18:45
  • session_unset() will unset session variables, not end the session. It just makes it so $_SESSION['whatever'] doesn't exist in the session, however you can still set variables into the session and continue using it. Session_destroy will actually delete the session file off the server so on next load there is no data for the session to find. – Jonathan Kuhn May 20 '11 at 18:45
1

session_unset() and session_destroy() do not delete the session cookie. You have to manually unset it with a setcookie() call.

session_unset is the converse of session_register(), and session_destroy simply cleans out $_SESSION without affecting the cookie.

Marc B
  • 356,200
  • 43
  • 426
  • 500
1

from the manual (session_destroy):

session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.

In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.

Unless you specifically unset the cookie, then the cookie will still exist and the next time session_start() is called, it will use that as the session id. Closing the browser also should clear the cookie because they are generally set by php to expire on browser close.

Jonathan Kuhn
  • 15,279
  • 3
  • 32
  • 43
0

To stop session hijacking follow the below code in PHP

    session_start();

    /* to stop session hijacking */

    // Generate new session without destroying the old one
    session_regenerate_id(false);

    // Fetch current session ID and close both sessions to allow other scripts to use them
    $newSession = session_id();
    session_write_close();

    // Assign session ID to the new one, and start it back up again
    session_id($newSession);

    session_start();
Senior PHP Developer
  • 318
  • 2
  • 15