Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,048
    Thanks
    25
    Thanked 0 Times in 0 Posts

    How to Clear Session/Start New One

    I have a "create_account.php" script which allows people to register on my website.

    Over time, I think the sequence that I do things in has gotten messed up, and so it probably doesn't do what I originally intended it to do?!

    Here is what the top of my script *should* be doing...

    1.) Destroy any existing Sessions on the Server

    2.) Erase any associated Session Cookies on the Client

    3.) Start a New Session to store Registration Information.


    The goal of this is to make sure that when a New User lands on the Registration Form, he/she is working from a "clean slate" and can't get mixed up with any Sessions that could still be open, or any Cookie information that could also be active from another User.


    Could someone look at the code below, and tell me how fix it so it meets these 3 goals??

    PHP Code:
    <?php

        
    // Initialize Session. (1)
        
    session_start();

        
    // Access Constants. (2)
        
    require_once(blah);

        
    // Access Functions. (3)
        
    require_once(blah);

        
    // Connect to Database. (4)
        
    require_once(blah);


    //NEW (5)
        // ********************
        // Set Form Token.        *
        // ********************
        
    if (!isset($_SESSION['form_token'])){
            
    $_SESSION['form_token'] = hash_hmac('sha512'uniqid(rand(), TRUE), VINEGAR);
        }


    //NEW (6)
        // ********************
        // Set Start Time.        *
        // ********************
        
    if (!isset($_SESSION['createAccount_start'])){
            
    $_SESSION['createAccount_start'] = time();
        }


        
    // Initialize Variables. (7)
        
    $_SESSION['resultsCode'] = '';
        
    $_SESSION['resultsTitle'] = 'Create Account results';


        
    // ****************************** (8)
        // Log Out User from Session.        *
        // ******************************
        
    $_SESSION['loggedIn'] = FALSE;


        
    // ************************ (9)
        // Clear Out Variables.        *
        // ************************
        
    unset($_SESSION['sessMemberID']);
        unset(
    $_SESSION['sessUsername']);
        unset(
    $_SESSION['sessFirstName']);


        
    // ******************************** (10)
        // Erase Session Cookie Contents.    *
        // ********************************
        
    setcookie("PHPSESSID"""time() - 3600);


        
    // ********************************* (11)
        // HANDLE FORM.                *
        // *********************************
        
    if ($_SERVER['REQUEST_METHOD']=='POST'){

    BTW, I added a # next to each section of code to maybe make it easier to tell me how to reorder things!!

    Sincerely,


    Debbie

  • #2
    Senior Coder
    Join Date
    Sep 2010
    Posts
    1,903
    Thanks
    15
    Thanked 226 Times in 226 Posts
    This should not be required. When a user enters the site a unique session ID is issued to that user, and the server session cookie and also any client side cookies are unique. So if you have 100 visitors to your site the server will distinguish them. Now on my little site, not only does everyone have a unique session ID, they have a unique 'work area', an individual folder is made for them, so that when they upload and process images there will be no confusion.

    However, to destroy a session you only need to execute session_destroy(); and that persons' session will disappear. Again, on my site, the last item in the menu is to delete the user files and destroy the session. To delete client side cookies you simply set them as 'session cookies', which expire at the end of the browser session. Other than making the cookie with that specification you have no control over what the client does with them.
    Welcome to http://www.myphotowizard.net

    where you can edit images, make a photo calendar, add text to images, and do much more.


    When you know what you're doing it's called Engineering, when you don't know, it's called Research and Development. And you can always charge more for Research and Development.

  • #3
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,281
    Thanks
    57
    Thanked 523 Times in 510 Posts
    Blog Entries
    5
    Quote Originally Posted by DrDOS View Post
    This should not be required.
    Agreed but sadly it is. session_destroy simply destroys the CURRENT session - in otherwords, it saves, closes it and disposes of the $_SESSION array. It doesn't do the reverse - clean the array and then save it (and yes, it's a stupid way they describe this on php.net - utterly stupid):



    Quote Originally Posted by DrDOS View Post
    When a user enters the site a unique session ID is issued to that user, and the server session cookie and also any client side cookies are unique. So if you have 100 visitors to your site the server will distinguish them.
    If they're on seperate machines yes thats correct. You can't assume that they are though and from the vague descriptions DD gave me of this site a year or so back, it has the potential to go big. That means you can't take chances like that and thus need to wipe the session completely and/or wipe the cookie so that it doesn't get re-used.

    Quote Originally Posted by DrDOS View Post
    However, to destroy a session you only need to execute session_destroy(); and that persons' session will disappear.
    Don't count on that! We both know what your server is like with sessions

    This is on the same page for session_destroy on php.net. To be honest, just the $_SESSION = array(); thing would be enough to keep me happy but if you're logging session_id's to each user then you'll want the rest of the code to expire the cookie too thus forcing a new one to be generated.

    PHP Code:
    <?php
    // Initialize the session.
    // If you are using session_name("something"), don't forget it now!
    session_start();

    // Unset all of the session variables.
    $_SESSION = array();

    // If it's desired to kill the session, also delete the session cookie.
    // Note: This will destroy the session, and not just the session data!
    if (ini_get("session.use_cookies")) {
        
    $params session_get_cookie_params();
        
    setcookie(session_name(), ''time() - 42000,
            
    $params["path"], $params["domain"],
            
    $params["secure"], $params["httponly"]
        );
    }

    // Finally, destroy the session.
    session_destroy();
    ?>
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #4
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,048
    Thanks
    25
    Thanked 0 Times in 0 Posts
    Tangoforce,

    Yes, I saw all of that in the Manual.

    Care to share with me how I'd move stuff around in my code example?

    It used to be fine, but then I added my new sections, and I'm a little confused of the new sequence I need.

    Seems to me like I always have to start the Session, then kill it, then do I start it again????

    Remember this is not te Log-out script.

    I need to make sure everyone is logged out and all Sessions and Session Cookies are destroyed, and then start up a new Session so I can keep track of things for Registration.

    Sincerely,


    Debbie

  • #5
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,281
    Thanks
    57
    Thanked 523 Times in 510 Posts
    Blog Entries
    5
    Yes I'd start the session, wipe all the session array, destroy it (not sure if this includes session_write_close or not) and then restart a new session.

    As long as you have no html output prior to any of this, php will send TWO setcookie headers - one to backdate the expiry of the old cookie and one to create the new session cookie.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •