How do I delete PHPSESSID on client computers

Question

UPDATE ON THE PROBLEM:

• On some browsers, we have two PHPSESSIDs.
• One PHPSESSID is not set by me anywhere in my script
• It has

Answer 1

Yeah, you need to set the cookie time to a negative value so the browser can delete it, in adition we set the stored value to empty string which also helps to delete the same cookie...

This (a the top of your page) would do, just be sure to session_start() first:

setcookie('PHPSESSID', '', -3600, '/cv');

This works flawlessly on all my domains, I had this problem once.

Answer 2

It is mentioned here, though Use of session_register() is deprecated and Use of $_SESSION is preferred : -

If session_start() was not called before this function is called, an implicit call to session_start() with no parameters will be made. $_SESSION does not mimic this behavior and requires session_start() before use.

Then, using $_SESSION , append a JSON file with Auth=True, with TimeOut=20 minutes.
Whenever, user logs out or after timeout, set Auth=False. Then, read that JSON file using PHP and

Then, if Auth=False, create JS using PHP that OnLoad event, document.cookie = 'PHPSESSID' + '=;expires=Thu, 01 Jan 1970 00:00:01 GMT;';

Answer 3

You have to remove a cookie on the client side. This is possible with javascript.

Try this javascript on your site:

<script type="text/javascript">
     document.cookie = "PHPSESSID=;Path=/cv;expires=Thu, 01 Jan 1970 00:00:01 GMT;";
</script>

An example:

For this example is use the site https://developer.mozilla.org/en-US/.
If i load this site on the cookies there are the following entries Now I want to remove the cookie with name dwf_section_edit. To delete this cookie I set the expire date to the past. After I execute

document.cookie = "dwf_section_edit=;Path=/;expires=Thu, 01 Jan 1970 00:00:01 GMT;";

on the console, the cookie is away as you can see on the following image (i used the little refresh button on bottom left of the table because it is only temporary on this example)

On the next reload i get the cookie again in this example, because Mozilla give it back to me. On your site you don't have to create the old cookie again, and all is fine.

Answer 4

The solution will be let users go to /folder path for the duration of session expire time. On this path make php script for copying ALL COOKIES from /folder to / path by using setcookie function (http://php.net/manual/ro/function.setcookie.php)

foreach ($_COOKIE as $key => $value) {
    setcookie($key, $value, $expire, "/")
}
// redirect to "/" now. User will be able to login.

Additional explanation: cookies are tied to path and domain, its important (and by default its /, but it seems not in your case). So PHPSESSID from subpath (like /folder or /me) not accessible from parent. And they propagate from parent to child. So cookies from /me are the same as for / with there not assigned explicit.

Answer 5

I think you are mixing up things or you should go into more detail about your setup/problem.

PHP's session path is the location where session data is stored on your server, not the client. See the documentation: https://secure.php.net/manual/en/session.configuration.php#ini.session.save-path

You can move these files and replace/keep in case of collisions how you see fit. This is pretty much only restricted by read/write-permissions you have when accessing/moving stuff and your webserver-user (e.g. apache or nginx) or php-user has for reading/writing them from/to the new location.

If by "PHPSESSID in their browser" you mean the session id is part of your urls, that is a different PHP-setting, that should be disabled anyway, see notice in the documentation: https://secure.php.net/manual/en/session.configuration.php#ini.session.use-trans-sid

edit based on your updated question:

There already is a nice JS-based solution for expiring the old cookie. I would go with that. if you can't just do that, you could do a redirect to /cv have a php-script there that reads the cookie and stores the data somewhere (a database for example based on the user_id) and expire the cookie. Then you can redirect to the old page, look for the "/"-cookie and restore the data. It's a very ugly hack, but I don't think you can get the cookie for each path in PHP, since it's server side and based on the session id provided by the client (but I might be wrong).

Answer 6

I guess your script does not know, which session should be accessed upon session_start();

Try to specify correct path for session using

ini_set('session.cookie_path', '/');

or

session_start(['cookie_path' => '/']);

depending on your setup

If that does not help, i would suggest using session_regenerate_id() that will replace the current session id with a new one, and keep the current session information.