doubledee Posted December 25, 2011 Share Posted December 25, 2011 Below is a Log-Out Script that I wrote... <?php // Initialize a session. session_start(); // Access Constants require_once('../config/config.inc.php'); // Log Out User. $_SESSION['loggedIn'] = FALSE; // Redirect User. if (isset($_SESSION['returnToPage'])){ header("Location: " . BASE_URL . $_SESSION['returnToPage']); }else{ // Take user to Home Page. header("Location: " . BASE_URL . "index.php"); } // Destroy Session. session_destroy(); // Erase Session Cookie Contents. setcookie (session_id(), "", time() - 3600); // End script. exit(); ?> Questions: 1.) How does my code look? 2.) Does it provide a secure log out? 3.) I don't think the cookie part is working, because after I click "Log Out" on a web page, I looked at the Cookie in FireFox's Web Developer Toolbar, and there is still a value for the PHPSESSID?! Thanks, Debbie Quote Link to comment Share on other sites More sharing options...
PaulRyan Posted December 26, 2011 Share Posted December 26, 2011 1. Your code looks...codey. 2. I use similar to what you have written and it seems pretty secure to me. 3. In regards to your 3rd point, you are editing a cookie with the name of the session id, which doesn't actually exist. What does exist however is PHPSESSID, and you need to delete its content, or better still remove it totally. The following should do that: unset($_COOKIE['PHPSESSID']); Once the above is run, the PHPSESSID cookie will no longer exist, until a new session is started. Regards, PaulRyan. Quote Link to comment Share on other sites More sharing options...
doubledee Posted December 26, 2011 Author Share Posted December 26, 2011 1. Your code looks...codey. What's that mean?! 2. I use similar to what you have written and it seems pretty secure to me. 3. In regards to your 3rd point, you are editing a cookie with the name of the session id, which doesn't actually exist. What does exist however is PHPSESSID, and you need to delete its content, or better still remove it totally. The following should do that: unset($_COOKIE['PHPSESSID']); Once the above is run, the PHPSESSID cookie will no longer exist, until a new session is started. Regards, PaulRyan. I'm not sure if your code is working. I added this to my header, but it is horribly formatted and I can't tell what is what?! echo '<p class="test">print_r(\$_SESSION) = ' . print_r($_SESSION) . '</p>'; echo '<p class="test">print_r(\$_COOKIE) = ' . print_r($_COOKIE) . '</p>'; When I first run my script, this is what I see... (formatted as it appears) print_r(\$_SESSION) = 1print_r(\$_COOKIE) = 1Array ( )Array ( ) At this point there should be a Session but I'm not sure if there is a Cookie. When I click "Log In" I see this scrambled up on different lines that I can't recreate here... print_r(\$_SESSION) = 1 Array ( )Array ( [phpSESSID] => 0693cf38eaeeb53fbe91bdd0cf67437d ) print_r(\$_COOKIE) = 1 After I log in I see this again scrambled up and hard to show here... print_r(\$_SESSION) = 1 Array ( [memberID] => 24 [memberFirstName] => Debbie [loggedIn] => 1 ) Array ( [phpSESSID] print_r(\$_COOKIE) = 1 => 0693cf38eaeeb53fbe91bdd0cf67437d ) When I click "Log Out" I see this scrambled up... print_r(\$_SESSION) = 1 Array ( ) Array ( [phpSESSID] => print_r(\$_COOKIE) = 1 0693cf38eaeeb53fbe91bdd0cf67437d ) If I could just get my print_r() to format properly that might be ha;f the battle?! Debbie Quote Link to comment Share on other sites More sharing options...
doubledee Posted December 26, 2011 Author Share Posted December 26, 2011 When I go into the Web Developer Toolbar in FireFox and open the Cookie Window, it shows me this... http://local.debbie/index.php 1 cookie Name PHPSESSID Value 0693cf38eaeeb53fbe91bdd0cf67437d Host local.debbie Path / Secure No Expires At End Of Session That says to me there is still a Cookie with my PHP Session ID lingering on my computer (which is a security risk to me)... Debbie Quote Link to comment Share on other sites More sharing options...
bkribbs Posted December 26, 2011 Share Posted December 26, 2011 1. Your code looks...codey. 2. I use similar to what you have written and it seems pretty secure to me. 3. In regards to your 3rd point, you are editing a cookie with the name of the session id, which doesn't actually exist. What does exist however is PHPSESSID, and you need to delete its content, or better still remove it totally. The following should do that: unset($_COOKIE['PHPSESSID']); Once the above is run, the PHPSESSID cookie will no longer exist, until a new session is started. Regards, PaulRyan. In my research, the way to undo a cookie was to run something like: if(isset($_COOKIE['cookname']) && isset($_COOKIE['cookpass'])){ setcookie("cookname", "", time()-60*60*24*100); setcookie("cookpass", "", time()-60*60*24*100); } Where you take the original cookie, and simply negate the time. Are either methods correct? Quote Link to comment Share on other sites More sharing options...
kicken Posted December 26, 2011 Share Posted December 26, 2011 That says to me there is still a Cookie with my PHP Session ID lingering on my computer (which is a security risk to me)... So long as you remove the login flags/other details from your session (so your app considers them logged out), having the cookie stick around is not an issue. My logout consists of: session_destroy(); session_regenerate_id(true); which removes the session data, deletes the session file, and assigns a new ID. If you want to unset the cookie, you need to use setcookie() to delete it. The name of the cookie is the session name (default PHPSESSID) which is returned by the session_name() function. Quote Link to comment Share on other sites More sharing options...
doubledee Posted December 26, 2011 Author Share Posted December 26, 2011 That says to me there is still a Cookie with my PHP Session ID lingering on my computer (which is a security risk to me)... So long as you remove the login flags/other details from your session (so your app considers them logged out), having the cookie stick around is not an issue. Any idea how to better format print_r() in my home page so I can better see what is going on? This is what I have... echo '<p class="test">print_r(\$_SESSION) = ' . print_r($_SESSION) . '</p>'; echo '<p class="test">print_r(\$_COOKIE) = ' . print_r($_COOKIE) . '</p>'; and... p.test{ display: block; } If you want to unset the cookie, you need to use setcookie() to delete it. The name of the cookie is the session name (default PHPSESSID) which is returned by the session_name() function. Which of these is correct... // Erase Session Cookie Contents. setcookie (session_id(), "", time() - 3600); setcookie (PHPSESSID, "", time() - 3600); Or will both work? Thanks, Debbie Quote Link to comment Share on other sites More sharing options...
kicken Posted December 26, 2011 Share Posted December 26, 2011 Any idea how to better format print_r() in my home page so I can better see what is going on? Use the second parameter to print_r to have it return a string, rather than output directly. Use <pre> tags not <p> tags to surround it so the white-space is preserved. Which of these is correct... Neither. Read the manual page I linked, and maybe the setcookie page. Quote Link to comment Share on other sites More sharing options...
doubledee Posted December 26, 2011 Author Share Posted December 26, 2011 Any idea how to better format print_r() in my home page so I can better see what is going on? Use the second parameter to print_r to have it return a string, rather than output directly. Use <pre> tags not <p> tags to surround it so the white-space is preserved. Which of these is correct... Neither. Read the manual page I linked, and maybe the setcookie page. I looked at the link you provided and thought I was doing things correctly?! Here is the script that I've come up with... <?php //Build Date: 2011-12-25 // Initialize a session. session_start(); // Access Constants require_once('../config/config.inc.php'); // Log Out User. $_SESSION['loggedIn'] = FALSE; // Redirect User. if (isset($_SESSION['returnToPage'])){ header("Location: " . BASE_URL . $_SESSION['returnToPage']); }else{ // Take user to Home Page. header("Location: " . BASE_URL . "index.php"); } session_unset(); session_destroy(); $_SESSION = array(); // Erase Session Cookie Contents. // setcookie(session_id(), "", time() - 3600); setcookie("PHPSESSID", "", time() - 3600); // End script. exit(); ?> It works as far as logging the user out (e.g. "Hello, Debbie" is no longer displayed when I click "Log Out"), but the print_r() I am using shows the same session cookie there even after logging out. I would expect PHPSESSID to have a value of "" in my browser and in print_r() after I log out. When I log in I see this... print_r(\$_SESSION) = Array ( [returnToPage] => //index.php [memberID] => 24 [memberFirstName] => Debbie [loggedIn] => 1 ) print_r(\$_COOKIE) = Array ( [phpSESSID] => 4bf54ca2d5b134ea841bab146ba22965 ) When I log out (and even if I close the browser window and open it back up), I see this... print_r(\$_SESSION) = Array ( [returnToPage] => //pages/interview_index.php ) print_r(\$_COOKIE) = Array ( [phpSESSID] => 4bf54ca2d5b134ea841bab146ba22965 ) I am totally confused... Debbie Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.