[RESOLVED] Help with destroying a session

BigFunkyChief2

Hello,
Default installation of Apache 2.0 and PHP 4 on a Fedora Core 4 server.

I'm trying to completely kill a session when a user logs off. I use the following code (found on php.net) in my logout script, then redirect the user to the login page.

session_start();
setcookie(session_name() ,"",0,"/");
unset($COOKIE[session_name()]);
$SESSION = array();
session_unset();
session_destroy();

At the login page, the variables seem to be unset. But, if the user types in the URL for the main site ([url]http://www.mysite.com)[/url], suddenly the session variables are back, even though my code has not called them, and the user accesses the page as if they were logged in. This is a security issue, if a user doesn't close their browser then suddenly the content is accessible, even if they've logged out.

Is this default behavior? How should I go about completely destroying my sessions?

Thanks in advance....
BFC

toplay

Well, it looks alright, however, when removing the session cookie, it should have the same values as when it was first created. So, something like this would be better:

$_sessCookie = session_get_cookie_params();

$_result = @setcookie(session_name(), '', time() - 172800,
                                    $_sessCookie['path'],
                                    $_sessCookie['domain'],
                                    $_sessCookie['secure']);

But the cookie still won't be deleted on the client side until the user exists their browser.

The only real way a session is gone from the server is when it's deleted physically from the disk. The session.save_path usually points to something like /tmp and in there would be the files in there with filenames such as sess_xxx (where xxx is the session ID). The session garbage collection is responsible for removing expired sessions from disk. Otherwise, you'll have to do it yourself if want it done immediately.

Other options is to regenerate the session ID, and/or use database based session management. This allows you total control.

BigFunkyChief2

I see, so probably my best bet is to write a unique row to my DB, then have that determine whether is logged in, and removed that row from the DB when they log out.

What's strange is I deleted all my cookies (IE6), logged into my machine, and I can't find the cookie set. Is it stored in the index.dat file in IE?

Thanks for the insight on this....I've been banging my head against my desk for a week now....much appreciated.

bradgrafelman

I do what you just described. I store the SID in a DB. When I verify they are logged in, I do a "SELECT * FROM Table WHERE SID = 'sid'" where the 'sid' part is the SID retrieved from the client-side cookie/URL/form. If no results are returned, I know they either haven't logged in, or have logged out.

BigFunkyChief2

Thanks again.