22

I'm trying to correctly log out of an admin user. Here is my function:

function logout() { $_SESSION = array(); //destroy all of the session variables if (ini_get("session.use_cookies")) { $params = session_get_cookie_params(); setcookie(session_name(), '', time() - 42000, $params["path"], $params["domain"], $params["secure"], $params["httponly"] ); } session_destroy(); }

Basically, once I authenticate the password, I set the session as being valid (only 1 user total). Now, when the admin hits logout, I want to destroy the current session, and also destroy the cookie, so that they can't just go back to the admin page using the stored session cookie in the browser. but my code doesn't work. i hit logout, and i can just directly navigate back to the admin page. however, if i delete my cookies, the functionality is perfect. so what's wrong with the cookie deleting function here?

Improve this question

2 Answers 2

Reset to default
12

If you really want to cover all bases try doing:

setcookie (session_name(), "", time() - 3600); session_destroy(); session_write_close();

That should prevent further access to the session data for the rest of PHP execution. The browser may still show the cookie being set however the $_SESSION super will be blank

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

7

Maybe your problem is not the cookie, but the browser showing a cached version of your admin page. Could that be? If it disappears when you hit F5, it's probably that. This can be sorted by setting the right cache-control headers.

Check out this SO question on the issue of how to set caching. The question is about exactly the other way round (forcing browsers to cache) but you'll figure out what to change to turn caching off.

Improve this answer

5 Comments

ok, that makes sense, but why am i still able to access the admin page directly even after i've destroyed the session??
nevermind i think i figured it out - i didn't call session_start() on my logout page (the logout text links to a logout page which calls my above function)
It would still be smart to remove the cookie, in order to increase cacheability of anonymous content with caches such as Varnish. If the browser keeps sending a cookie Varnish will not cache the response, even if you're generating the exact same response for every visitor.
The OP's underlying concept is not flawed. He shows the textbook method of ending a login session as documented in the PHP manual.
@Nilpo indeed! Edited that bit out.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.