@($%* Sessions

rmiller1985

I've looked at the docs and searched this board. I've read lots of stuff, but I still can't seem to get a user "logged off."

The login form is pretty basic, the same type if thing that I've seen in several posts on this board:

<-- some HTML stuff -->

<?php
session_start();
echo session_id(); // for debugging purposes.

if (! isset($SESSION['username'])) {
if (isset($POST['username'])) {
// Set the session variables.
} else {
// Display the login form
}
}
if (isset($_SESSION['username'])) {
// Display the admin page.
}
?>

On the admin page, I've got a line that echos the session ID and username, with a link to click to log out. The link opens the killSession.php file:

<?php
$SESSION = array();
session_unset();
unset($COOKIE[session_name()]);
if (session_destroy()) {
print "Session destroyed.<br />\n";
} else {
print "Session not destroyed.<br />\n";
}
if (isset($_SESSION['username'])) {
print "Logout failed.";
} else {
print "Logged out.";
}
?>

I've tried this with just the session_unset() function, with just the $_SESSION = array() function, with and without trying to unset the cookie, etc. My output is always the same:

Session not destroyed.
Logged out.

When I browse back to the admin page, whether it's using the back button (with and without a manual refresh) or by typing in the URL anew, I get the same output I had before: the same session ID, the same username, and the admin page contents instead of the login form.

What am I doing wrong here? Why can't I get rid of the session variables? I've checked the session file in the /tmp directory, and all the data is still there after trying to empty the session variables. If the session isn't destroyed, I can see why maybe I'm getting the same output when going back to the admin page: it's looking in the file in the /tmp directory and pulling that stuff up. But shouldn't either the $_SESSION = array(); or the session_unset() function get rid of the contents of that file, so that even if the session isn't destroyed, at least the variables will be done away with?

I'm using PHP5 on Solaris, if that makes any difference. Most of the php.ini file parameters are set to the defaults (the session.save_path directive was commented out by default, but I uncommented it so that /tmp is used).

Thanks for any assistance you can provide,

Rich

p.s.: Sorry about the formatting, I haven't figured out how to make the PHP stuff indent the way it should.

devinemke

you forgot to call session_start() in you killSession.php script. you must call session_start() on any page that deals with sessions, even on the page that destroys it.

<?php
session_start();
$_SESSION = array();
if (isset($_COOKIE[session_name()]))
{
	setcookie(session_name(), '', time() - 42000, '/');
}
session_destroy();
?>

jazz_snob

I just went insane w/ this same kind of problem... I wrote my own session save handler...shouldn't matter though if you use your own or the default PHP implementation...session_destroy() on its own should do the trick...but I've found that you can't tell if it works by checking stuff in the same script where you call session_destroy()...its going to effect the next page...so after you navigate to the page/link/whatever where you kill the session, try to get to a page that requires you are logged in...it should say you aren't if the session is destroyed.

I'm using PHP5 on Solaris,

I'm dark green w/ envy 🙂

FWIW, here is my very lean logout.php page:

<?php

//some includes go here

session_start();

/* authorized_user() is a function I defn'd...its basically checks $_SESSION for certain values and other goodness */
if( !authorized_user( ) )
{
	header( "Location: /login.php" );
}

include_once 'header.html';

//rather than a writing a bunch of if/else clauses I've started using assert()
assert( session_destroy() );
echo "You are now logged out.<br />";

?>

rmiller1985

you must call session_start() on any page that deals with sessions, even on the page that destroys it.

HOLY COW!! I added a bunch of echo statements for debugging purposes, and sure enough, this seems to do the trick. Is this documented anywhere? This is in the PHP docs that I downloaded:

As of PHP 4.3.3, calling session_start() while the session has already been started will result in an error of level E_NOTICE. Also, the second session start will simply be ignored.

So, not only is the second call NOT ignored, it's actually REQUIRED?? YIKES! (I suppose that by referring to it as the "second call" the docs are sort of implying "in the same script," but geez, that's pretty unclear if you ask me.)

rather than a writing a bunch of if/else clauses I've started using assert()

I'm not familiar with this function, I'll check it out.

I'm dark green w/ envy

I used to work at a place that was running Oracle 8i on a Sun workstation running Solaris 8. When I quit, I figured it would be nice to have my own for "practicing" while unemployed, so I found one on ebay for around $300. At this point, it's old, so whenever I start from scratch I have to re-download a bunch of current GNU utilities, but it's been great for figuring out how to use stuff in an environment that's more common than Windows XP in the "real world." And having it and my PC networked at home mimics the "real world" a little better as well, since I browse to the workstation instead of to localhost. Not much of a difference, but it makes me feel better. 🙂

Next related questions: when I log out, the session variables are cleared, and the session is destroyed (I've checked that the file is actually removed from /tmp). But when I browse back to the admin page, the page is "unavailable," and I have to hit the refresh button. When I do hit the refresh button, the login form is displayed, but the session ID that's echoed (for debugging purposes) after the call to session_start() is the same as the one that was just destroyed. I'm not sure that this matters all that much, but I'd like to know, a) why is the session ID the same, and b) why do I have to refresh the page (I'm thinking it's an HTML thing, and I'm not very proficient in HTML).

Thanks for the help!

Rich

jazz_snob

Book of Armaments, Chapter 4, Verses 16 to 20:

session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie.

In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.

So session_destroy(), in general, is not enough...my bad 🙁 ...as punishment I shall cut down the largest tree in the forest with, a herring.