Best Way To Delete A Cookie?

StevenF · 03-03-2008, 05:36 PM

Hello,

I'm having some problems with my shopping cart scripts. When a user logs in, the following code is executed:

PHP Code:


			
//Start the session

                session_start();

                //Create session variable

                session_register("user"); 

                //let's grab the session ID for those who don't have cookies

                $id = session_id(); 

            

                $url = "Location: myaccount.php?sid=" . $id;

                header($url);

Now when you logout, it does the following:

PHP Code:


			
//let's completely terminate the session and bring them to login page

                    session_start(); 

                    session_unset();

                    session_destroy();

                     echo ("Logging Out...");

                    header('Refresh: 1; url=index.php');

When you try to log in with two different accounts, both are being assigned the same session ID. I think this is because the cookie was being deleted server side, but it was still remaining on the clients machine? For some reason

PHP Code:


			
session_unset();

session_destroy();

wasn't deleting the cookie from the machine.

Would it be OK to add a bit of JavaScript after "session_destroy which deleted the cookie? I was told I couldn't delete it in PHP because there has already been some outputted after the header or something - sorry, not explained very well.

I was each user to be assigned a different session_id because I am using that to select the products in their cart.

Thanks,
Steven

abiko · 03-03-2008, 06:22 PM

to delete a cookie:
you have your cookie code

PHP Code:


			
// Set cookie
setcookie("cookieName", $value, time()+3600);  
// Unset Cookie
setcookie("cookieName", $value, time()-36000);

The same could be used - cookieName = PHPSESSID amd unset it.

From session_destroy() @ php.net manual
session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie.

In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.

StevenF · 03-03-2008, 07:09 PM

Oh so, so would something like this work instead?

If login = true

PHP Code:


			
//Start the session
session_start();
//Create session cookie
// Set cookie
setcookie("loggedin", "TRUE", time()+(3600 * 24));
//let's grab the session ID for those who don't have cookies
$id = session_id(); 
$url = "Location: myaccount.php?sid=" . $id;
header($url);

else

PHP Code:


			
session_start(); 
session_unset();
session_destroy();
unset($id);
// expire cookie
setcookie ("loggedin", "", time() - 3600);  
echo ("Logging Out...");
header('Refresh: 1; url=index.php');

$id is storing the session_id.

Would that work? Also, what would replace $value?

Edit: That wouldn't work. As I said in the first post:

Quote:

Originally Posted by php.net

Like other headers, cookies must be sent before any output from your script (this is a protocol restriction). This requires that you place calls to this function prior to any output, including <html> and <head> tags as well as any whitespace.

ReSpawN · 03-03-2008, 09:54 PM

That should work fine. Since you're not setting any content on the cookie and the timer in negative, it's automatically a false cookie. Plus, almost every browser including Netscape and Internet Explorer delete out-of-date cookies. Otherwise, it's not a problem since you can make your system check for cookies and them validate the timestamp given.

To sum it up once again, that should work fine. And oh yeah, to the quote. Think of setting (and unsetten) of cookies as headers. It's basically the same rule, before ANY output. I haven't found a good method to unset it in-script, but I do it with a post variable.

StevenF · 03-03-2008, 10:33 PM

Quote:

Originally Posted by ReSpawN

That should work fine. Since you're not setting any content on the cookie and the timer in negative, it's automatically a false cookie. Plus, almost every browser including Netscape and Internet Explorer delete out-of-date cookies. Otherwise, it's not a problem since you can make your system check for cookies and them validate the timestamp given.

To sum it up once again, that should work fine. And oh yeah, to the quote. Think of setting (and unsetten) of cookies as headers. It's basically the same rule, before ANY output. I haven't found a good method to unset it in-script, but I do it with a post variable.

But that's my problem; the above code exists half way through my script. I was thinking it would be possible to set the cookie in PHP as shown, then delete it using JavaScript?

TlcAndres · 03-03-2008, 10:45 PM

ob_start();

wGEric · 03-03-2008, 11:20 PM

I know this has already been answered but here's what it says at php.net.

PHP: session_destroy - Manual

Quote:

In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.

...

PHP Code:


			
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();

// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (isset($_COOKIE[session_name()])) {
    setcookie(session_name(), '', time()-42000, '/');
}

// Finally, destroy the session.
session_destroy();
?>

...

Note: Only use session_unset() for older deprecated code that does not use $_SESSION.

StevenF · 03-03-2008, 11:47 PM

I have it so that it removes the cookie when you log out, but for some reason, it's still logging two different people in with the same session id :(

I need to be able to reset the session_id() without closing the browser, is that possible?

StevenF · 03-04-2008, 01:38 PM

No matter, I thought of a better solution:

When a user logs in, their username is stored in a cookie. I then store that cookie in a $username variable on the products page. This allows me to $_GET the username from the url and insert it into the cart table when they select an item. In turn allowing me to display all the items added by that user.

Took a bit of thinking, but I got it in the end!

Now I need to check if a row already exists, and if it doesn't, run the query.

Gareth · 03-04-2008, 02:26 PM

You should try putting session_regenerate_id().

StevenF · 03-04-2008, 03:43 PM

Quote:

Originally Posted by Gareth

You should try putting session_regenerate_id().

I was actually looking at that earlier but never put it into practice. The method I posted above works much better. I originally wanted to store the session_id() in the cart table, and then use that to identify each order. But ever time the person visited the page they would be using a different ID and they would have to start their order again. I like my new method and it's working as intended :)

Thanks all,
Steven

Gareth · 03-08-2008, 03:36 PM

Sorry for a bump but I meant to use session_regenerate_id() when the user logs in. This can help to prevent session hijacking (it isn't 100% effective, mind you!).

Glad you got it working as intended!

Gareth