Results 1 to 9 of 9

Thread: PHP Cookie deletion

  1. #1
    Join Date
    Mar 2018

    PHP Cookie deletion

    Dear forum, I need an expert opinion about a session cookie. Here is the situation:

    start a session, blah blah data end a session.
    set an expired cookie before deleting the session.

    This test requires Microsoft Edge browser because it shows the cookie in the console. I can't see the cookie info in the Firefox console. To understand the question, you need to start and end a session and use Edge console to see the session cookie. When developer tools are enabled, view source opens the console. The debugger tab shows cookies in the left pane. I can see my session cookie listed throughout the session and i can watch the session id change (regenerate_id(true). However, when i destroy the session and set the cookie expiration, I still see a cookie. Shouldn't the cookie be deleted? why can i still see it with the last session id?

    if you watch the session temp folder, you can see your session file disappear when you destroy the session. shouldn't the cookie disappear? is the cookie really invalid and Edge stores it until the browser closes? I think that this is a session cookie not persistent, so if the session is closed then the cookie should be deleted. When the cookie is not deleted, i worry that the code to expire the cookie is not correct.


    //update session variables
    //page code here

    //when ready to delete the session
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 3600, $params["domain"], $params["path"], $params["secure", $params["httponly"]);
    session_start(); $_SESSION = array(); session_unset(); session_destroy();


    I am a beginner, so I wonder if the cookie is still visible because the browser only deletes it when the browser is closed or maybe my code is not really deleting the cookie. I cannot view the cookie because i cannot find its location in Windows 10. I have no idea if the cookie is really being deleted or made to be invalid, then deleted when the browser closes.

    I hope that someone understands this matter, it's driving me nuts. I expect to see the cookie disappear in the console.


  2. #2
    Join Date
    Jul 2013
    Voorheesville NY USA
    I BELIEVE this phenomena is caused by the way cookies are provided to you. They are loaded when the server sends your client its data. That means that a cookie created during the current session is not viewable until the next time the server sends data to you. The same is probably true when you delete one - it doesn't go away until the server refreshes your content.

    I could be describing this wrong but I think this is the general idea behind cookie behavior. Your last comment is pretty close to what I am describing to you so I think you are spot on.
    PS - If you're posting here you should be using:

    ini_set('display_errors', '1');

    at the top of ALL php code while you develop it!

  3. #3
    Join Date
    Mar 2018
    I think so too. I suppose that I could always set a persistent cookie but i'm not interested. As long as the cookie is made invalid, then i will accept the session status holding it until the browser is closed. all is good. atleast you also think that it is a browser thing.

    Thanks for taking time to reply. also, sorry for forgetting to surround the php in a code tag. I always forget to do this in forums. My apologies.

  4. #4
    Join Date
    Aug 2004

    I believe the session_start() will generate a cookie that overwrites the one you define in the preceding line. Instead of setcookie() there, I think you want to do a session_set_cookie_params(), instead.
    "Well done....Consciousness to sarcasm in five seconds!" ~ Terry Pratchett, Night Watch

    How to Ask Questions the Smart Way (not affiliated with this site, but well worth reading)

    My Blog
    cwrBlog: simple, no-database PHP blogging framework

  5. #5
    Join Date
    Mar 2018


    Thank You so much ginerjm and NogDog for posting here and trying to help a fellow programmer. I have tried a few forums and noone offers help. I've solved the problem just now because the two of you were vocal in this thread and offered advice, id est, networking team work. I doff my hat to the both of you.

    I'm actually braving the world by building my own sessions (sans framework.) I couldn't quite understand the process at first. I had trouble deleting sessions, then the cookies. I've finally deleted sessions but the cookies were remaining. I keep scratiching and clawing and insisting that they should be deleted. You both helped me to realize that something is wrong with my approach. I've actually followed the advice at php.net and it isn't working.

    Turns out, that i forgot to move the session_start() as pointed out by NogDog. I decided to move it back. I am tired and I get sloppy sometimes. Anyway, I did some research for the past two hours and I came across a post at stackoverflow. The poster mentioned that he couldn't get his cookies to delete without setting the path '/'. I decided to recode my session handling and cookie handling and now the cookie is gone! I am so happy. I now have a fully functioning secure session. I am so relieved. Here is the final code where I destroy the session and cookie:

    if(empty($formerrors)) {
        $_POST = array(); session_start();
        setcookie('my-cookie-name', '', time() - 3600, '/'); unset($_COOKIE['my-cookie-name']);
        $_SESSION = array(); session_unset(); session_destroy();
        header("Location: ../Thankyou/");
    } else {
    //form has errors
    I am so happy that my sessions and cookies are finally being handled correctly. I've spent over a month on this session. Thank You for helping

  6. #6
    Join Date
    Jul 2013
    Voorheesville NY USA
    Why are you so focused on sessions? I may be na´ve but I simply do a session_start at the top of every script and let the session expire when my browser closes. I'm not doing anything that requires as much paranoia as you apparently so I am comfortable with PHP protecting my apps from session tampering and with PHP removing the session contents when the session terminates all by itself.
    PS - If you're posting here you should be using:

    ini_set('display_errors', '1');

    at the top of ALL php code while you develop it!

  7. #7
    Join Date
    Mar 2018
    I'm building a commercial website where I am also bound by EU privacy laws. I have the miserable task of more than session_start(); I have already dealt with eliminating XSS, CSRF, SQL injections and query strings. I now need to combat session fixation and session hijacking. My next step is to create a password hash with a digest reiterated a thousand times. I am completely interested in protecting my customers privacy the best that i can do so. I'm not going to pay someone to do it for me. First of all, i've asked about this and the three developers that i spoke with don't even salt, hash and digest passwords. nowonder so many kiddie scripts cause problems these days. I'll just do it myself and I refuse to use frameworks. Anyway, I'm quite proud of my session management. However, before my site goes live, I will hire a security expert to look over my code and test my site for vulnerabilities. I won't be able to stop serious hackers but alot of the nonsense will be mitigated. I can sleep better at night knowing that I've done all that I can do to protect my customers.

  8. #8
    Join Date
    Jul 2013
    Voorheesville NY USA
    To go thru all that you are doing is commendable. BUT to then say that 'I won't be able to stop serious hackers' makes me wonder what you are doing! Isn't it the serious ones you should be most concerned about???
    PS - If you're posting here you should be using:

    ini_set('display_errors', '1');

    at the top of ALL php code while you develop it!

  9. #9
    Join Date
    Mar 2018
    the two of us can combine our brain power and not be able to outsmart the best hackers. i accept this fact. one cannot expect me to be smarter than the folks at Google, Apple, Microsoft, Intel etc. and they are hacked constantly. Not to mention all of the government backdoors. It's like asking me to slap Mike Tyson and challenge him to a street fight. I'm not stupid. :-)

    i realize that top hackers are just to smart for a beginner like me. Not to mention, i cannot possibly be responsible for hardware and software vulnerabilities like the recent meltdown and spectre. I can do so much to protect my customers.

    However, i do know one way to slap hackers: i do not store personal user info on the server. so when a user signs up for my services, i encrypt their form input and mail it to myself for decryption wioth a secret key. all of that personal data is kept on my non-internet, non local network connected pc. impossible to steal their data via website hacking. so i win :-)

    i wish i were a better programmer to be able to stop hackers but it is not possible at this time. maybe one day i will be better at dealing with hackers. For now, i'm at the mercy of my host, server, php and my scripts. I'll do everything that i can to secure my scripts but i accept the fact that i am not smarter than the top hackers.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
HTML5 Development Center



X vBulletin 4.2.2 Debug Information

  • Page Generation 0.14124 seconds
  • Memory Usage 2,946KB
  • Queries Executed 15 (?)
More Information
Template Usage (33):
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_global_above_footer
  • (1)ad_global_below_navbar
  • (1)ad_global_header1
  • (1)ad_global_header2
  • (1)ad_navbar_below
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)ad_thread_first_post_content
  • (1)ad_thread_last_post_content
  • (1)bbcode_code
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)headinclude_bottom
  • (9)memberaction_dropdown
  • (1)navbar
  • (4)navbar_link
  • (1)navbar_moderation
  • (1)navbar_noticebit
  • (1)navbar_tabs
  • (2)option
  • (9)postbit
  • (9)postbit_onlinestatus
  • (9)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available (6):
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files (26):
  • ./showthread.php
  • ./global.php
  • ./includes/class_bootstrap.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/functions_navigation.php
  • ./includes/class_friendly_url.php
  • ./includes/class_hook.php
  • ./includes/class_bootstrap_framework.php
  • ./vb/vb.php
  • ./vb/phrase.php
  • ./includes/functions_facebook.php
  • ./includes/functions_calendar.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_notice.php
  • ./packages/vbattach/attach.php
  • ./vb/types.php
  • ./vb/cache.php
  • ./vb/cache/db.php
  • ./vb/cache/observer/db.php
  • ./vb/cache/observer.php 

Hooks Called (72):
  • init_startup
  • friendlyurl_resolve_class
  • init_startup_session_setup_start
  • database_pre_fetch_array
  • database_post_fetch_array
  • init_startup_session_setup_complete
  • global_bootstrap_init_start
  • global_bootstrap_init_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • load_show_variables
  • load_forum_show_variables
  • global_state_check
  • global_bootstrap_complete
  • global_start
  • style_fetch
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • strip_bbcode
  • friendlyurl_clean_fragment
  • friendlyurl_geturl
  • forumjump
  • cache_templates
  • cache_templates_process
  • template_register_var
  • template_render_output
  • fetch_template_start
  • fetch_template_complete
  • parse_templates
  • fetch_musername
  • notices_check_start
  • notices_noticebit
  • process_templates_complete
  • friendlyurl_redirect_canonical
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • memberaction_dropdown
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • build_navigation_data
  • build_navigation_array
  • check_navigation_permission
  • process_navigation_links_start
  • process_navigation_links_complete
  • set_navigation_menu_element
  • build_navigation_menudata
  • build_navigation_listdata
  • build_navigation_list
  • set_navigation_tab_main
  • set_navigation_tab_fallback
  • navigation_tab_complete
  • fb_like_button
  • showthread_complete
  • page_templates