Why won't my cookie go away? **UPDATE**

Question

I'm setting an auth cookie like so:

$identifier = $this->createIdentifier($username);
$key = md5(uniqid(rand(), true));
$timeout = time() + 60 * 60 * 24 * 100;

setcookie('auth', "$identifier:$key", $timeout);

After logout I'm trying to invalidate it by doing this:

setcookie('auth', "", time() - 3600);

When I try to view a restricted page after logging out I'm checking to see if the cookie exists:

if (isset($_COOKIE['auth'])) {
error_log("COOKIE EXISTS: " . print_r($_COOKIE, true));
}

Here is my logout script:

if (!isset($_SESSION)) session_start();

$ref="index.php";

if (isset($_SESSION['username'])) {
unset($_SESSION['username']);   

session_unset();
session_destroy();

// remove the auth cookie
setcookie('auth', "", time() - 3600);

}

header("Location: " . $ref);
exit();

I shouldn't be hitting this code but I am. After logging out I see the cookie has been removed from my browser. Any idea how it's finding it again after logging out?

UPDATE This code get called from another class that checks user privs etc. The only files it doesn't work with are files that reference it from one directory above. For instance

Any file referencing it like this works OK:

<?php include_once('classes/check.class.php'); 

Any file referencing it like so DO NOT work:

<?php include_once('../classes/check.class.php'); 

Any thoughts what might be causing this?

Answer 1

After you log the user out you need to do a redirect to cause a new page load. Since cookies are sent with page requests until a new requests is made those cookies are still alive even after you "delete" them.