#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    13
    Rep Power
    0

    Strangeness with sessions


    I've recently noticed an issue with the shopping cart software that I have written from scratch. I cannot seem to destroy a session.

    When the person logs out of the system, it calls a logout routine, part of which uses session_unset and session_destroy. It then calls a new file without the session_start at the top before linking to the homepage, where the session will be started again.

    When it starts the session, the session ID is identical to before it was destroyed and unset.

    I have tested the issue with IE10, Firefox 22 and Chrome 28, and get the same errors each time. I might add that these are all tabbed browsers and I don't quit the entire browser each time.

    Logout Code

    PHP Code:
    $_SESSION['timer'] = (date("U")-20000); // auto-expire session timer
    unset($_SESSION['user_id']);
    unset(
    $_SESSION['sid']);
    unset(
    $_SESSION['timer']);
    unset(
    $_SESSION['first']); 
    unset(
    $_SESSION['last']); 
    unset(
    $_SESSION['lmode']); 
    session_unset();
    $sess_var session_destroy();
    unset(
    $_SESSION);
    $_SESSION = array();
    AuditLog('Session ID: '.session_id().' - Status: '.$sess_var); // write to data log 
    When I check my data log, the session ID is blank after this script is run, but the next session_start() command creates it exactly how it was previously.

    Does anyone have any ideas what's happening here and how to prevent it?
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    that's some messy code.

    The problem is that you don't really seem to understand how sessions work and what you need to do to delete them. And you didn't bother to read the manual.

    A session consists of three things: There's a session cookie, which holds the session ID. It's stored in the user's browser. Then there's a session file, which holds the session data. It's stored on the server. And finally, there is the $_SESSION array, which is used to read from and write to the session file in the application.

    All three things are independent entities. If you kill the session file, that has no effect on the cookie. It will continue to exist, and next time the user visits the site, he or she will present the old session ID again. And if your code doesn't regenerate the ID (which apparently it doesn't), then you end up with the same ID.

    How to fix this?
    1. You start the session (unless it's already started).
    2. You delete the cookie by setting the expiration time to a timestamp in the past.
    3. You delete the session file with session_destroy().
    4. You clear the $_SESSION array with $_SESSION = array(). Do not unset the whole variable. There's a big fat yellow warning box in the manual telling you not to do that.
    5. You regenerate the session ID with session_regenerate_id(true) whenever a user logs in.

    The manual even offers the code for that.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    13
    Rep Power
    0

    Smile


    Originally Posted by Jacques1
    Hi,

    that's some messy code.

    The problem is that you don't really seem to understand how sessions work and what you need to do to delete them. And you didn't bother to read the manual.
    To be honest, the manual was a little confusing for me (I'm not a manual type of person!) and I was getting desperate so was trying everything in order to get it to work - including the things that I'm not supposed to. I've taken on board what you've said and am adjusting the code accordingly.

    Many thanks for the assistance, and I'll let you know how it goes.
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    I understand that the manual is rather technical, but you should definitely get used to it. It contains first-hand information about what exactly the function does and what you need to be aware of.

    Do not rely on third-party tutorials, because the vast majority of them is complete crap. Most of the free code you'll find online is the copy of the copy of the copy of the copy of some terrible code some clueless kid wrote somewhere in the 90s. If you're lucky, the code will simply not work. If you have less luck, it will tear some big security holes into your code, and you may not even notice it.

    So learn to use the manual. If there's any halfway reliable resource about PHP at all, it's the manual.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo