July 16th, 2013, 07:15 AM
Strangeness with sessions
I've recently noticed an issue with the shopping cart software that I have written from scratch. I cannot seem to destroy a session.
When the person logs out of the system, it calls a logout routine, part of which uses session_unset and session_destroy. It then calls a new file without the session_start at the top before linking to the homepage, where the session will be started again.
When it starts the session, the session ID is identical to before it was destroyed and unset.
I have tested the issue with IE10, Firefox 22 and Chrome 28, and get the same errors each time. I might add that these are all tabbed browsers and I don't quit the entire browser each time.
When I check my data log, the session ID is blank after this script is run, but the next session_start() command creates it exactly how it was previously.
$_SESSION['timer'] = (date("U")-20000); // auto-expire session timer
$sess_var = session_destroy();
$_SESSION = array();
AuditLog('Session ID: '.session_id().' - Status: '.$sess_var); // write to data log
Does anyone have any ideas what's happening here and how to prevent it?
July 16th, 2013, 07:41 AM
that's some messy code.
The problem is that you don't really seem to understand how sessions work and what you need to do to delete them. And you didn't bother to read the manual.
A session consists of three things: There's a session cookie, which holds the session ID. It's stored in the user's browser. Then there's a session file, which holds the session data. It's stored on the server. And finally, there is the $_SESSION array, which is used to read from and write to the session file in the application.
All three things are independent entities. If you kill the session file, that has no effect on the cookie. It will continue to exist, and next time the user visits the site, he or she will present the old session ID again. And if your code doesn't regenerate the ID (which apparently it doesn't), then you end up with the same ID.
How to fix this?
- You start the session (unless it's already started).
- You delete the cookie by setting the expiration time to a timestamp in the past.
- You delete the session file with session_destroy().
- You clear the $_SESSION array with $_SESSION = array(). Do not unset the whole variable. There's a big fat yellow warning box in the manual telling you not to do that.
- You regenerate the session ID with session_regenerate_id(true) whenever a user logs in.
The manual even offers the code for that.
July 16th, 2013, 10:13 AM
To be honest, the manual was a little confusing for me (I'm not a manual type of person!) and I was getting desperate so was trying everything in order to get it to work - including the things that I'm not supposed to. I've taken on board what you've said and am adjusting the code accordingly.
Originally Posted by Jacques1
Many thanks for the assistance, and I'll let you know how it goes.
July 16th, 2013, 10:27 AM
I understand that the manual is rather technical, but you should definitely get used to it. It contains first-hand information about what exactly the function does and what you need to be aware of.
Do not rely on third-party tutorials, because the vast majority of them is complete crap. Most of the free code you'll find online is the copy of the copy of the copy of the copy of some terrible code some clueless kid wrote somewhere in the 90s. If you're lucky, the code will simply not work. If you have less luck, it will tear some big security holes into your code, and you may not even notice it.
So learn to use the manual. If there's any halfway reliable resource about PHP at all, it's the manual.