I have this function logout that gets called before the HTML is rendered and it is:
function logout()
{
$_SESSION = [];
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_destroy();
}
What it should do is remove the php sessionfile (does not happen) and the client cookie should be deleted (does not happen).
I looked at https://www.php.net/manual/en/function.session-destroy.php but i do not see the problem.
i tried
setcookie(session_name(), '', time() - 42000)
but that also does not work. commenting out the if with session.use_cookies does not help.
If i check with chrome inspector tools no expiry time is set for the cookie but the sessionid matches with the server sessionfile so the setting of the cookie is correct
2
Answers
That was the problem (i called session_start after session_destroy), my session_start was in the index page (custom framework). But i do not know how to solve the problem. If i move the session_start to the login function the session stops working at other pages: "In order to use session variables and have them carry across pages, you need to put it at the top of each page before anything else." Session lost after page redirect in php. So I guess i wil have to settle for emptying the session.
If i put an exit in my logout function after session_destroy the session file is gone and the cookie is gone so that if proof that the code is good.
If the session is being set on a different page, or in the incorrect order, you won’t be able to change the session data or destroy the session. I’m not sure of your specific structure but implementing a check to see if there is a session, then setting a session if there isn’t might be a good place to start.
Try this:
You can also add
session_unset()beforesession_destroy(). More information: php unset() and unset and destroy.