(PHP) How to destroy the session cookie correctly?

18
votes

I'm trying to correctly log out of an admin user. Here is my function:

function logout()
{
    $_SESSION = array(); //destroy all of the session variables
    if (ini_get("session.use_cookies")) {
        $params = session_get_cookie_params();
        setcookie(session_name(), '', time() - 42000,
            $params["path"], $params["domain"],
            $params["secure"], $params["httponly"]
        );
    }
    session_destroy();
}

Basically, once I authenticate the password, I set the session as being valid (only 1 user total). Now, when the admin hits logout, I want to destroy the current session, and also destroy the cookie, so that they can't just go back to the admin page using the stored session cookie in the browser. but my code doesn't work. i hit logout, and i can just directly navigate back to the admin page. however, if i delete my cookies, the functionality is perfect. so what's wrong with the cookie deleting function here?

3
phpcookiessession

3 Answers

7
votes

Maybe your problem is not the cookie, but the browser showing a cached version of your admin page. Could that be? If it disappears when you hit F5, it's probably that. This can be sorted by setting the right cache-control headers.

Check out this SO question on the issue of how to set caching. The question is about exactly the other way round (forcing browsers to cache) but you'll figure out what to change to turn caching off.

9
votes

If you really want to cover all bases try doing:

setcookie (session_id(), "", time() - 3600);
session_destroy();
session_write_close();

That should prevent further access to the session data for the rest of PHP execution. The browser may still show the cookie being set however the $_SESSION super will be blank

4
votes

Just a tip for others who are having issues expiring session cookies:

PHP - why can't I get rid of this session id cookie?

Always use session_get_cookie_params() as in the answer to the question in the link above.