/    Sign up×
Community /Pin to ProfileBookmark

PHP Cookie deletion

Copy linkTweet thisAlerts:
Mar 13.2018

Dear forum, I need an expert opinion about a session cookie. Here is the situation:

start a session, blah blah data end a session.
set an expired cookie before deleting the session.

This test requires Microsoft Edge browser because it shows the cookie in the console. I can’t see the cookie info in the Firefox console. To understand the question, you need to start and end a session and use Edge console to see the session cookie. When developer tools are enabled, view source opens the console. The debugger tab shows cookies in the left pane. I can see my session cookie listed throughout the session and i can watch the session id change (regenerate_id(true). However, when i destroy the session and set the cookie expiration, I still see a cookie. Shouldn’t the cookie be deleted? why can i still see it with the last session id?

if you watch the session temp folder, you can see your session file disappear when you destroy the session. shouldn’t the cookie disappear? is the cookie really invalid and Edge stores it until the browser closes? I think that this is a session cookie not persistent, so if the session is closed then the cookie should be deleted. When the cookie is not deleted, i worry that the code to expire the cookie is not correct.

<?php
session_name(‘CookieChallenge’);
session_start();

//update session variables
session_write_close();
//page code here

//when ready to delete the session
$params = session_get_cookie_params();
setcookie(session_name(), ”, time() – 3600, $params[“domain”], $params[“path”], $params[“secure”, $params[“httponly”]);
session_start(); $_SESSION = array(); session_unset(); session_destroy();

exit;
?>

I am a beginner, so I wonder if the cookie is still visible because the browser only deletes it when the browser is closed or maybe my code is not really deleting the cookie. I cannot view the cookie because i cannot find its location in Windows 10. I have no idea if the cookie is really being deleted or made to be invalid, then deleted when the browser closes.

I hope that someone understands this matter, it’s driving me nuts. I expect to see the cookie disappear in the console.

Thanks.

to post a comment
PHP

8 Comments(s)

Copy linkTweet thisAlerts:
@ginerjmMar 13.2018 — I BELIEVE this phenomena is caused by the way cookies are provided to you. They are loaded when the server sends your client its data. That means that a cookie created during the current session is not viewable until the next time the server sends data to you. The same is probably true when you delete one - it doesn't go away until the server refreshes your content.

I could be describing this wrong but I think this is the general idea behind cookie behavior. Your last comment is pretty close to what I am describing to you so I think you are spot on.
Copy linkTweet thisAlerts:
@phpBerlinerauthorMar 13.2018 — I think so too. I suppose that I could always set a persistent cookie but i'm not interested. As long as the cookie is made invalid, then i will accept the session status holding it until the browser is closed. all is good. atleast you also think that it is a browser thing.

Thanks for taking time to reply. also, sorry for forgetting to surround the php in a code tag. I always forget to do this in forums. My apologies.
Copy linkTweet thisAlerts:
@NogDogMar 13.2018 — _

I believe the session_start() will generate a cookie that overwrites the one you define in the preceding line. Instead of setcookie() there, I think you want to do a [u][url=php.net/session_set_cookie_params]session_set_cookie_params()[/url][/u], instead.

_
Copy linkTweet thisAlerts:
@phpBerlinerauthorMar 13.2018 — [B]Thank You[/B] so much [B]ginerjm[/B] and [B]NogDog[/B] for posting here and trying to help a fellow programmer. I have tried a few forums and noone offers help. I've solved the problem just now because the two of you were vocal in this thread and offered advice, id est, networking team work. I doff my hat to the both of you.

I'm actually braving the world by building my own sessions (sans framework.) I couldn't quite understand the process at first. I had trouble deleting sessions, then the cookies. I've finally deleted sessions but the cookies were remaining. I keep scratiching and clawing and insisting that they should be deleted. You both helped me to realize that something is wrong with my approach. I've actually followed the advice at php.net and it isn't working.

Turns out, that i forgot to move the session_start() as pointed out by NogDog. I decided to move it back. I am tired and I get sloppy sometimes. Anyway, I did some research for the past two hours and I came across a post at stackoverflow. The poster mentioned that he couldn't get his cookies to delete without setting the path '/'. I decided to recode my session handling and cookie handling and now the cookie is gone! I am so happy. I now have a fully functioning secure session. I am so relieved. Here is the final code where I destroy the session and cookie:


[CODE]
if(empty($formerrors)) {
$_POST = array(); session_start();
setcookie('my-cookie-name', '', time() - 3600, '/'); unset($_COOKIE['my-cookie-name']);
$_SESSION = array(); session_unset(); session_destroy();
header("Location: ../Thankyou/");
exit;
} else {
//form has errors
}
[/CODE]

I am so happy that my sessions and cookies are finally being handled correctly. I've spent over a month on this session. Thank You for helping
Copy linkTweet thisAlerts:
@ginerjmMar 13.2018 — Why are you so focused on sessions? I may be naïve but I simply do a session_start at the top of every script and let the session expire when my browser closes. I'm not doing anything that requires as much paranoia as you apparently so I am comfortable with PHP protecting my apps from session tampering and with PHP removing the session contents when the session terminates all by itself.
Copy linkTweet thisAlerts:
@phpBerlinerauthorMar 13.2018 — I'm building a commercial website where I am also bound by EU privacy laws. I have the miserable task of more than session_start(); I have already dealt with eliminating XSS, CSRF, SQL injections and query strings. I now need to combat session fixation and session hijacking. My next step is to create a password hash with a digest reiterated a thousand times. I am completely interested in protecting my customers privacy the best that i can do so. I'm not going to pay someone to do it for me. First of all, i've asked about this and the three developers that i spoke with don't even salt, hash and digest passwords. nowonder so many kiddie scripts cause problems these days. I'll just do it myself and I refuse to use frameworks. Anyway, I'm quite proud of my session management. However, before my site goes live, I will hire a security expert to look over my code and test my site for vulnerabilities. I won't be able to stop serious hackers but alot of the nonsense will be mitigated. I can sleep better at night knowing that I've done all that I can do to protect my customers.
Copy linkTweet thisAlerts:
@ginerjmMar 14.2018 — To go thru all that you are doing is commendable. BUT to then say that 'I won't be able to stop serious hackers' makes me wonder what you are doing! Isn't it the serious ones you should be most concerned about???
Copy linkTweet thisAlerts:
@phpBerlinerauthorMar 14.2018 — the two of us can combine our brain power and not be able to outsmart the best hackers. i accept this fact. one cannot expect me to be smarter than the folks at Google, Apple, Microsoft, Intel etc. and they are hacked constantly. Not to mention all of the government backdoors. It's like asking me to slap Mike Tyson and challenge him to a street fight. I'm not stupid. :-)

i realize that top hackers are just to smart for a beginner like me. Not to mention, i cannot possibly be responsible for hardware and software vulnerabilities like the recent meltdown and spectre. I can do so much to protect my customers.

However, i do know one way to slap hackers: i do not store personal user info on the server. so when a user signs up for my services, i encrypt their form input and mail it to myself for decryption wioth a secret key. all of that personal data is kept on my non-internet, non local network connected pc. impossible to steal their data via website hacking. so i win :-)

i wish i were a better programmer to be able to stop hackers but it is not possible at this time. maybe one day i will be better at dealing with hackers. For now, i'm at the mercy of my host, server, php and my scripts. I'll do everything that i can to secure my scripts but i accept the fact that i am not smarter than the top hackers.
×

Success!

Help @phpBerliner spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.23,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...