cookies deny dying!!!!

[geotri314]

hi guys. i need some help with some code i wrote.

i have a login script where there are some cookies get set like this:

 

setcookie('user_id', $row['user_id']);

 

in a logout script these cookies are supposed to be deleted and lost into oblivion... like this:

 

setcookie('user_id', '', time() - 3600);

 

The thing is... cookies wont die! i use firefox 3.6.8. i have tried some things like changing the ('') quotes with the ("") quotes. i ve changed the time to : time() - 993600 just to be sure. i ve even used the unset fucntion like this:

 

unset($_COOKIE['user_id']);

 

Even the cookie created by the session_start() is not get deleted with this:

 

if (isset($_COOKIE[session_name()])) {
      setcookie(session_name(), '', time() - 93600);
  unset($_COOKIE[session_name()]);
    }

 

does anyone have any idea what am i doing wrong. plz?

thank you for your time.

[rwwd]

Hi there,

 

this is similar to what I use with no problems at all:-

 

if (isset($_COOKIE['Cookie_name'])){
setcookie("cookie_name", "", "0", "/");
unset($_COOKIE);
}

 

I just make sure that I use most of the param's when I set the cookie in the first place:-

 

setcookie("Cookie_name", "Cookie_value", time()+60*60*24*30, "/");//the slash just means that it's set over ALL the domain

 

Then for good measure I do this too:-

 

session_unset();
session_destroy();
unset($_SESSION);
unset($_COOKIE);

 

The method of cookie naming that your using looks a little suspicious to me, I always put a static value or a user editable variable there to avoid confusion..

 

Hope that's a little clearer now.

 

Cheers,

Rw

[PFMaBiSmAd]

Best guess is that you are probably outputting some content to the browser on your log out page and none of the setcookie() functions are doing anything.

 

Are you developing and debugging your code on a system with error_reporting set to E_ALL and display_errors set to ON so that all the php detected errors will be reported and displayed? You will save a ton of time.

 

Also, setting a cookie with a user id to indicate someone is logged in, is insecure. All I would need to do is create a cookie with your user_id and I could visit your site as YOU. You should create a random unique ID (see uniqid) and store that in the cookie and store that in your user table for that particular user. You should also only rely on a value kept on the server to indicate that someone is logged in, not on the existence of a cookie or of the existence of a session. Once you do this, you won't need to delete the cookie because the cookie will only identify the visitor, its existence alone won't mean that the visitor is logged in.