开发者

Cookie won't unset

OK, I'm stumped, and have been staring at this for hours.

I'm setting a cookie at /access/login.php with the f开发者_如何学编程ollowing code:

setcookie('username', $username, time() + 604800, '/');

When I try to logout, which is located at /access/logout.php (and rewritten to /access/logout), the cookie won't seem to unset. I've tried the following:

setcookie('username', false, time()-3600, '/');

setcookie('username', '', time()-3600, '/');

setcookie('username', '', 1, '/');

I've also tried to directly hit /access/logout.php, but it's not working.

Nothing shows up in the php logs.

Any suggestions? I'm not sure if I'm missing something, or what's going on, but it's been hours of staring at this code and trying to debug.


How are you determining if it unset? Keep in mind that setcookie() won't remove it from the $_COOKIE superglobal of the current script, so if you call setcookie() to unset it and then immediatly print_r($_COOKIE);, it will still show up until you refresh the page.

Try pasting javascript:alert(document.cookie); in your browser to verify you don't have multiple cookies saved. Clear all cookies for the domain you're working on to make to sure you're starting fresh. Also ini_set(E_ALL); to make sure you're not missing any notices.


Seems to be a server issue. My last domain was pretty relaxed on PHP error handling while the new domain shows every error. I'm using both sites side by side and the old one removes the cookie as it should.


Is there perhaps a timezone issue here? Have you tried setting using something farther in the past, like time() - (3600*24)? PHP's documentation says that the internal implementation for deleting cookies uses a timestamp of one year in the past.

Also, you should be able to use just setcookie('username', false); without passing an expiration timestamp, since that argument is optional. Maybe including it is confusing PHP somehow?


How you use cookies data in your application?

If you read the cookies and check if username is not false or not '', then setting it to false or '' will be sufficient, since your application will ignore the cookies value.

You better put some security in cookies value, to prevent user change it's value. You can take a look of CodeIgniter session library, see how CI protect the cookies value using hash. Unauthorized value change will detected and the cookies will be deleted.

Also, CI do this to kill the cookies:

// Kill the cookie
    setcookie(
          $this->cookie_name,
          addslashes(serialize(array())),
          (time() - 31500000),
          $this->cookie_path,
          $this->cookie_domain,
          0
        );


You can delete cookies from javascript as well. Check here http://www.php.net/manual/en/function.setcookie.php#96599


A simple and convenient way, is to use this additional functions:

function getCookie($name) {        
    if (!isset($_COOKIE[$name])) return false;
    if ($_COOKIE[$name]=='null') $_COOKIE[$name]=false;
    return $_COOKIE[$name];
}

function removeCookie($name) {
    unset($_COOKIE[$name]);
    setcookie($name, "null");
}

removing a cookie is simple:

removeCookie('MyCookie');
....
echo getCookie('MyCookie');


I had a similar issue.

I found that, for whatever reason, echoing something out of logout.php made it actually delete the cookie:

echo '{}';
setcookie('username', '', time()-3600, '/');


I had the same issue; I log out (and I'm logged out), manually reload the index.php and then I'm logged in again. Then when I log out, I'm properly logged out.

The log out is a simple link (index.php?task=logout). The task removes the user from the session, and "deletes" (set value '' and set expiry in the past) the cookie, but index.php will read the user's auth token from the cookie just after this (or all) task (as with normal operations). Which will reload the user. After the page is loaded the browser will show no cookie for the auth token. So I suspect the cookie gets written after page finish loading.

My simple solution was to not read the cookie if the task was set to logout.


use sessions for authentication, don't use raw cookies

http://www.php.net/manual/en/book.session.php

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜