Page 1 of 1

Cookies always stay

Posted: Mon Dec 17, 2007 4:36 pm
by iknownothing
Hey Guys, I have the following Code:

Code: Select all

if(isset($_POST['dothelogout'])){
	unset($_SESSION['sessid']);
	unset($_SESSION['hurley']);
	unset($_SESSION['displayname']);
	setcookie("abc", "", time()-3600);
	setcookie("PHPSESSID", "", time()-3600);
	unset($_COOKIE['abc']);
	unset($_COOKIE['PHPSESSID']);
	
}

if (isset($_COOKIE['abc'])){
	$checktheuser = $_COOKIE['abc'];
	$result = mysql_query("SELECT * FROM clientDetails WHERE clientusername = '$checktheuser'");
		while ($row = mysql_fetch_array($result)){
			$theusername = $row['clientusername'];
			$displayname = $row['businessname'];
			$d2 = $row['firstname'];
		}

			$_SESSION['sessid'] = session_id();
			$_SESSION['hurley'] = $theusername;
			$_SESSION['displayname'] = $d2 . " (" . $displayname . ")";
			setcookie("abc", $checktheuser, time()+1209600);
}
The first chunk is the logout script, which appears to working ok, I have $_COOKIE and $_SESSION print_r'd below, and after logout, both the cookie and session arrays are empty. The second chunk, is to establish whether or not the user clicked "remember me" when they logged in, if so, a cookie would have been created. Now, after the logout script has run, if I then go to a new page, all my Session and Cookie data has returned, which can only be possible by the second chunk above, but in order for it to run, $_COOKIE['abc'] has to be set, and I explicitly unset it in the logout script, so can anyone see why this would be happening?

Just tested in Firefox, and it looks to be an IE problem only somehow.


Thanks.

Posted: Mon Dec 17, 2007 5:14 pm
by feyd
You may want to set the cookie's timestamp a bit farther back than one hour. .... like several months, or at least days.

Posted: Mon Dec 17, 2007 8:27 pm
by s.dot
feyd wrote:You may want to set the cookie's timestamp a bit farther back than one hour. .... like several months, or at least days.
Or years. Really strange results happens when users have their computer clocks set say, a year in the past. Session data can get set to the value of 'deleted' and so can the cookie related to the session.

This caused me a bit of a hassle a while back when users would randomly get logged in as other users. I found out that those users had one thing in common -- their computer clocks were way off (often the right time, just years in the past), and their session id would be set to 'deleted', thus checking the session id was the same across all of the effected users.

Posted: Mon Dec 17, 2007 8:36 pm
by Jonah Bron
I have a second-to-hours-&-minutes converter here: http://www.nucleussystems.com/blog/web/handy/
click on "Convert'er", to the left.