Forcing a new session?

Kylotan

I have a system where a user has to login and will receive their session ID as plain text so that it can be processed by a client that isn't a normal web browser. I've read the session section of the docs several times but it's a lot more complicated than I was with ASP 🙂 The two questions that I have are:

1) When testing this with a browser, how can I ensure that it's a new session each time they use the login page? session_start() seems happy to reuse a session if it finds the appropriate cookie in the request, and ends up sending back the same ID from session_id().

2) Can I stop the script from sending a cookie at all? I want a session generated, with a server-side timeout, but I want to pass the id about in the URL, not as a cookie.

Tea_J

hi, for the first question, use session_destroy();

at every login page in my applications, i always have :

include('myinc.php');
session_start();

//this cleans out all the sessions that may cause issues
session_destroy();

For the 2nd question, i am not all that sure, but i've been using:

$_SESSION['mySession'] = "My session Variables";

and with this, i've checked my temp files, and there is no sign of any cookies.. simple as that..

hope this helps

Tea

Kylotan

Originally posted by Tea_J
hi, for the first question, use session_destroy();

But the docs at http://www.php.net/manual/en/function.session-destroy.php say that it explicitly doesn't do anything about the cookie. And when would I use it when I need a new session right there? Calling session_destroy right after session_start seems very strange.

Tea_J

Hi Kylotan

But the docs at http://www.php.net/manual/en/functi...ion-destroy.php say that it explicitly doesn't do anything about the cookie

well, like i said, the method im using doesnt set any cookies or anything...

$_SESSION['mysession']=$userName;

i check my temp internet files folder, and viola, no cookie.. i'd suggest you try it on your environment

Calling session_destroy right after session_start seems very strange.

dude, while your one the PHP manuals page, READ IT. 🙂
you can see in the example that it starts the session first... you have to start your session connection thingy before you can do any session stuffs..

<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
session_unset();
// Finally, destroy the session.
session_destroy();
?>

Kylotan

Sorry, but that doesn't seem to make much sense... from all indications, the session should set a cookie by default, and session_destroy doesn't touch that. And if I call session_destroy, can I call session_start straight away to get a new session? Because that's what I need. It's not at all clear.

In fact there's a comment on that doc page that reads "I've tried everything everyone here has suggested as far as destroying cookies go and none of them has worked for me. That is, I can destroy all session variables, but since the cookie stays on the user's computer, I can still get to pages I should only be able to get to after logging in even if I've logged out." That would be a real problem for me.

Tea_J

hmm.. im using sessions to store critical user info, and i cant have them variables stored via cookies in local client directories.. maybe we have the same situation.. however, like i said, the session setting method i spoke of earlier doesnt at all store any cookie on the client's machine... i suggest you try it yourself here:

clean out your temp internet files folder first!

http://teaconcepts.net/tests/customers/customer_login.php

username:miko
password:mido

..that is a test page i used....

when you visit the page, any session related to that page is destroyed by

session_start();
session_destroy();
bla bla bla..

....then when your login is successful, it sets a session $_SESSION[' sess_data'] = $user . $pass

and redirects you to the customer panel...

by then you may check your temp internet folder to see for yourself that there are NO COOKIES used for this session..
also, try NOT CLOSING the browser, but GOING BACK to the login page... going back to the login page destroys the session...

hope this helps.

tea

Kylotan

There is a cookie being used, it's just not being saved as it expires at the end of the 'session', where the browser usually means this to be when you close all the browser windows.

Mozilla Firebird reports from when I just used your site:

NAME: PHPSESSID
CONTENT: b77f07ff8fd416a3a739dba493bba982
HOST: teaconcepts.net
PATH: /
SERVER SECURE: no
EXPIRES: at end of session

Tea_J

oh.. i thought you meant the saved ones... $_COOKIE stuffs.. i got confused.. (it's freakin 3:30 am here, and i havent had any sleep in 30 hours)..

however, i do believe that session_destroy() gets rid of the session cookie.

peace!

tea