PHP Session Id in $_COOKIES superglobal stays the same after destroy

difference between session and cookies in php w3schools
php session login
how to destroy session id in php
session count in php
_session('username)
session array in php
php session cookie lifetime
phpsessid

Hy I am new to php and trying to destroy a session according to the php documentation here: http://php.net/manual/en/function.session-destroy.php so I am using this code:

<?php
session_start();

echo 'cokkies before delete session';
var_dump($_COOKIE);
var_dump($_SESSION);
echo '-------------- <br>';

$_SESSION = array();

if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}

session_destroy();
echo 'cokkies after delete session';
var_dump($_COOKIE);
var_dump($_SESSION);
?>

See the documentation:

session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.

… even if it did unset the session cookie, the $_COOKIES superglobal includes all the cookies that the browser sent when it made the request. It would require time travel for session_destroy to prevent the browser from sending them in the request that is currently being processed.


what I dont understand is, doesnt matter how many times I run this code the PHPSESSID property in the $_COOKIE superglobal is always exactly the same.

If you the session ID sent by the browser doesn't match an existing session, when you call start_session, then it still uses the same session ID for the new session.

session_regenerate_id forces the generation of a new id, start_session does not.

PHP Cookies and Sessions, After being initialized, session values can be set and retrieved using the $_​SESSION superglobal. <?php session_start(); $_SESSION['user_id'] =  If the client browser does not support cookies, the unique php session id is displayed in the URL; Sessions have the capacity to store relatively large data compared to cookies. The session values are automatically deleted when the browser is closed. If you want to store the values permanently, then you should store them in the database.

Just use session_regenerate_id() after destroying the session. https://secure.php.net/manual/en/function.session-regenerate-id.php

Also destroying a sessions doesn't unset a cookie.

session_start - Manual, If set to TRUE , this will result in the session being closed immediately after being read, Read the session reference for information on propagating session ids as it, for example, To use cookie-based sessions, session_start() must be called before I prefer using this class instead of using directly the array $_SESSION. Note that at least in PHP 5.5 setcookie() removes previously set cookies with the same name (even if you've set them via header()), so previously fired Set-Cookie headers with e.g. PHPSESSID name are not flushed to the browser. Even headers_list() doesn't see them after session_start():

ok hi, just wanna leave a few things out. Ok it’s simple, session destroyed doesn’t unset whats been set on cookie. Like we all know, cookies are available until the validity elapses. And even if the session get regenerated it would still update the cookie. I’ll suggest you have it controlled else if you refresh that page a million times you would still have the same result sent as an output. It’s more like doing the same thing and expecting a better result. I could write you a snippet if you want. Hope this helps

=== My discovery ==

<?php

session_start();

define('NEWLINE', '<br><br>');

echo "cookie before delete session. <br>";
var_dump($_COOKIE);

echo NEWLINE;

echo "session Here <br>";
var_dump($_SESSION);

echo NEWLINE;


echo "------------------------<br>";

$_SESSION = array();

if (ini_get('session.use_cookies'))
{
    $params = session_get_cookie_params();

    echo "cookie already has PHPSESSID even before you set it here ..<br>";


    // The solution i could arrive with
    // without this PHPSESSID wouldn't give you a new id.
    session_regenerate_id();
}

// now destroy
session_destroy();

echo "Cookie here would not change. Just refresh the page and try commenting session_regenerate_id() to see the difference. <br>";
var_dump($_COOKIE);

echo "Session when destroyed. <br>";
var_dump($_SESSION);
?>

PHP Sessions explained, The next time the same client will access the website, its Session will be After starting a Session, the $_SESSION superglobal array becomes available. expires, all the variables inside $_SESSION are destroyed and lost, and the cookie used By default, Sessions will remain active only until the remote client closes the  Session data is usually stored after your script terminated without the need to call session_write_close(), but as session data is locked to prevent concurrent writes only one script may operate on a session at any time. When using framesets together with sessions you will experience the frames loading one by one due to this locking.

Hy So I have found out why the setcookie() function didnt destroy the PHPSESSID cookie. the session_set_cookie_params() function needs to be set before starting the session and so later the setcookie() function will be able to expire the the PHPSESSID cookie.

this code works:

<?php
$lifetIme = 60 * 60 * 24 * 360; 
$path = '/'; 
$domain =  'yourdomain'; 
$secure = isset($_SERVER["HTTPS"]); 
$httponly = true;
session_set_cookie_params ($lifetIme, $path, $domain, $secure, $httponly);
session_start();

$expire = strtotime('-1 year');
setcookie('PHPSESSID', '', $expire, $path, $domain, $secure, $httponly);
session_destroy();
?>

PHP Session & PHP Cookies with Example, Sessions are like global variables stored on the server. it used to track the Creating Cookies; Retrieving the Cookie value; Delete Cookies; What is us to store the user name in a cookie that expires after ten seconds. Note: $_​COOKIE is a PHP built in super global variable. Other data remains intact. [2015-07-09 09:16 UTC] tyrael@php.net Bob: first of all, deleting the old session won't happen by default, so your definition is a bit misleading, and also, from the "new" session will hold the same data only under a different session id, so I think not many people would expect that the $_SESSION superglobal will be recreated hence losing the reference.

How to Create, Access and Destroy Sessions in PHP, In this tutorial you will learn how to use PHP sessions to temporarily store Since cookies are stored on user's computer it is possible for an attacker to Tip: The session IDs are randomly generated by the PHP engine which is You can store all your session data as key-value pairs in the $_SESSION[] superglobal array. Starting a PHP Session. Before you can store any information in session variables, you must first start up the session. To begin a new session, simply call the PHP session_start() function. It will create a new session and generate a unique session ID for the user. The PHP code in the example below simply starts a new session.

PHP Solutions: Dynamic Web Design Made Easy, The cookie containing the session ID normally remains active until the share the same computer, they all have access to each other's sessions unless they which automatically prevents anyone from regaining access after a certain $_​SESSION superglobal array in the same way you would assign an ordinary variable. PHP Create/Retrieve a Cookie. The following example creates a cookie named "user" with the value "John Doe". The cookie will expire after 30 days (86400 * 30). The "/" means that the cookie is available in entire website (otherwise, select the directory you prefer).

Sessions, $_SESSION = array(); // If it's desired to kill the session, also delete the session cookie. the values stored in the SESSION superglobal but it will not destroy the actual session session_start(); // Storing the value in session $_SESSION['id'] = 342; The session file remains locked until the script is completed or session is  PHP Persistent Globals Maker. As its name indicates, its purpose is to allow any one to build super globals of their chosen names and then be able to access them any where.This package allows to build session type globals which allows one file per user but also globals which are only relatives to the site itself which use only one file.

Comments
  • Possible duplicate of Why is PHP session_destroy() not working?
  • Thanks for your answer. I still dont understand that my code have used the setcookie() function on the PHPSESSID cookie to expire that, but that is still alive after the browser got the header where that cookie shouldnt be inside. thanks for your answer
  • Hy, so the setcookie() function in my code should have expired the SESSID from the COOKIES superglobal so thatswhy I dont understand why is the same one still there... thanks
  • Ok would love to help. Lemme put in my coding ability. I’ll update my comment with a code inclusively 💪💪
  • Awwn sweet. Ok I’ll found an answer