Home/ Questions/Q 7432907
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-29T09:31:56+00:00

Strange issue. This is index.php: session_start(); print_r($_COOKIE); print_r($_SESSION); This is logout.php: session_destroy(); $_COOKIE[‘key’] =

  • 0

Strange issue.

This is index.php:

session_start();
print_r($_COOKIE);
print_r($_SESSION);

This is logout.php:

session_destroy();
$_COOKIE['key'] = "";
$_COOKIE['usr_email'] = "";
setcookie("key", "", time() - 3600);
setcookie("usr_email", "", time() - 3600);
header("Location: http://www.site.net/index.php");

When I load logout.php, after being redirected to index.php I get:

Array
(
    [fc] => fcVal=6927578914025605120
    [PHPSESSID] => na015ipu3s69hhj00sgd0h1es6
)
Array
(
    [key] => cc2bffe0c1e36bc5790f5b78b11e5f50
    [usr_email] => myemail@gmail.com
)

Sessions are ok as I generate them when I load index.php, but how are the cookie still present?

Note

I have some more code on index.php that determines if the login form was filled and starts to authenticate the user, if the user/pass are correct it sets two session vars and two cookie vars (usr_email and key).

At the moment, I’m after the login form, so I have both cookies and session vars and since the cookies were not being deleted, I disabled every other PHP code that was on the index page as I thought maybe something is automatically logging me in. So currently I have authenticated and then commented out the rest from the index page that is not what mentioned above.

Also relevant
This is how I set the cookies when a user is authenticated:

    setcookie("key", $cookie['key'], time() + 36000);
    setcookie("usr_email", $cookie['usr_email'], time() + 36000);

PHP Version: PHP 5.3.6-13

Last edit

As Josh wrote in the comments, I was confusing the cookie print with the session, I wasn’t able to delete the session vars and not the cookie vars.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    From the PHP Manual:

    … [session_destroy()] does not unset any of the global variables associated with
    the session, or unset the session cookie

    In order to kill the session altogether, like to log the user out, the
    session id must also be unset. If a cookie is used to propagate the
    session id (default behavior), then the session cookie must be
    deleted. setcookie() may be used for that.

    Note: PHPSESSID is the cookie propagating the session ID.

    Try the following to clear your session variables from being reused:

    // Example #1 Destroying a session with $_SESSION
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();

// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}

// Finally, destroy the session.
session_destroy();

    Note: session_start() must be called before session_destroy() can work.

    • 0