Page 1 of 1

cookie not destroyed in IE but it is in Mozilla Firefox

Posted: Mon Apr 07, 2008 11:19 am
by kryles
Hi,

I created a login that allows a user to set a cookie. Then when they logout it destroys the cookie (and session variables). I also have a profile page that checks if the cookie is set, if not you get an error message saying you aren't logged in and if it is displays profile info.

I've done the following which results in differently in IE and Mozilla.

1)Login and choose remember (cookie is set).
2)Logout.
3)Go to profile page.

Mozilla gives an error message (as it should) and IE displays the users profile (gah!). I've also manually watched the cookies, and they are destroyed in Mozilla but not IE6.0

Code: Select all

 
 
/* functions */
 
function checkUserCookie($refreshTo, $refresh)
{
    if(isset($_COOKIE['USER']) && isset($_COOKIE['PASS']))
    {
        /*     Cookie is found, check ID and password
            If both match set SESSION variables
            and continue to Index
                                                    */
 
        $safe_id = mysql_real_escape_string(trim(strip_tags($_COOKIE['USER'])));
        $safe_pass = mysql_real_escape_string(trim(strip_tags($_COOKIE['PASS'])));
 
 
        $query = "    SELECT count(*)
                    FROM Customers
                    WHERE custID = '".$safe_id."' AND custPassword = '".$safe_pass."'";
 
        $result = mysql_query($query);
 
        $count = mysql_result($result,0,0);
 
        if($count == 1)
        {
            $_SESSION['auth'] = true;
            $_SESSION['userID'] = $safe_id;
 
            if($refresh === true)
            {
                header( "Location: ".URL."/".$refreshTo."");
                die();
            }
        }
    }
}
 
 

Code: Select all

 
 
/* login */
session_start();
session_cache_limiter('none');
 
if($_GET['action'] == "login")
{
/* ..... validation and setting session variables here ... */
    if(isset($_POST['remember']))
    {
        setcookie("USER",$_SESSION['userID'],time()+(21 * 24 * 60 * 60),'/');
        setcookie("PASS",$password,time()+(21 * 24 * 60 * 60),'/');
    }
}
 

Code: Select all

 
 
/* index */
 
session_start();
session_cache_limiter('none');
 
if($_GET['action'] == "logout")
{
    setcookie('PASS','$_SESSION["userID"]',time() - 60*60);
    setcookie('USER','',time() - 60*60);
    session_destroy();
    header('Location: url/login.php');
}
 
 

Code: Select all

 
 
/* Profile.php */
 
session_start();
session_cache_limiter('none');
 
checkUserCookie("", false);
 

I've omitted code obviously, but any idea why it would work for one and not the other?