How do I delete PHPSESSID on client computers

Question

UPDATE ON THE PROBLEM:

• On some browsers, we have two PHPSESSIDs.
• One PHPSESSID is not set by me anywhere in my script
• It has HOST (instead of DOMAIN for the PHPSESSID I set) as www.mywebsite.com
• I have tried deleting it using setcookie: setcookie ("PHPSESSID", $_COOKIE['PHPSESSID'], time() - 864000, '/', 'www.mywebsite.com'); but this fails.
• An attempt to delete cookie using: setcookie ("PHPSESSID", $_COOKIE['PHPSESSID'], time() - 864000, '/'); results in the PHPSESSID I set being deleted.
• I have tried using session_name to rename the SESSION I set. This works but crashed my server severally after some minutes.
• I am out of options.

---

I am working with PHP sessions on my website.

The session path was /folder, later on I changed to / to fit the new purpose.

Now, old users cant login.

It seems they now have two PHPSESSIDs stored on their browsers - one with path /folder and the other /.

What can I do to ensure that old users can login while ensuring that the session is sitewide with "/".

MORE INFORMATION

When I said two phpsessionid, refer to the image

2. The login works if I use

A. session_set_cookie_params(864000, '/cv', '.website.com', 0, 1);

but fails to work if I use:

B. session_set_cookie_params(864000, '/', '.website.com', 0, 1);

• If I use Version 2A above, the session will only be available in /cv and not be available in other website folders eg. /folder.

UPDATE ON DELETING PHPSESSID WITH JAVASCRIPT

• When I run alert(document.cookie), it shows all cookies except the PHPSESSID
• Hence all attempts to delete the PHPSESSID cookie fails, whereas other cookies can be deleted.

UPDATE ON DELETING PHPSESSID WITH PHP

• When I var_dump($_COOKIE['PHPSESSID']); what is returned is the value of the PHPSESSID with path /cv
• An attempt to delete with setcookie ("PHPSESSID", "", time() - 3600); fails.

Answer 1

You can try this. It works for me.

    if (isset($_COOKIE['PHPSESSID'])) {
        unset($_COOKIE['PHPSESSID']);
        setcookie('PHPSESSID', '', -1, '/');
    }

Answer 2

It is mentioned here, though Use of session_register() is deprecated and Use of $_SESSION is preferred : -

If session_start() was not called before this function is called, an implicit call to session_start() with no parameters will be made. $_SESSION does not mimic this behavior and requires session_start() before use.

Then, using $_SESSION , append a JSON file with Auth=True, with TimeOut=20 minutes.
Whenever, user logs out or after timeout, set Auth=False. Then, read that JSON file using PHP and

Then, if Auth=False, create JS using PHP that OnLoad event, document.cookie = 'PHPSESSID' + '=;expires=Thu, 01 Jan 1970 00:00:01 GMT;';

Answer 3

Just provide the 4th argument when calling setcookie function :

setcookie ("PHPSESSID", "", time() - 3600, '/');

Explanation

The 4th argument of the setcookie() function is $path of the session to be set. And for this, "The default value is the current directory that the cookie is being set in.". (See : http://php.net/manual/en/function.setcookie.php.) So if you are calling this function from a file locating in folder "/folder", it will try to delete a cookie from that folder only. By setting the $path to "/" we are telling the function to delete the session_id from the root directory.

I have tested it and it deleted the PHPSESSID from the cookie successfully.

Answer 4

You can remove it by setting it with a previous time for it to expire:

setcookie('phpsessid','value',time()-1);

Answer 5

Yeah, you need to set the cookie time to a negative value so the browser can delete it, in adition we set the stored value to empty string which also helps to delete the same cookie...

This (a the top of your page) would do, just be sure to session_start() first:

setcookie('PHPSESSID', '', -3600, '/cv');

This works flawlessly on all my domains, I had this problem once.

Answer 6

You cannot Delete Cookie of Cleint Browser's

First thing you have to understand that you cannot delete the COOKIES on client systems by any means. When you invalid then browser doesn't delete it, but makes the cookie unvalid. The cookie is still there on the clients system. But the browser just ignores it. In order to delete it the client must do it themselves.

To invalid all sessions you can use

session_start(); // initialize session
session_destroy(); // destroy session
setcookie("PHPSESSID","",time()-3600,"/"); // delete session cookie

or javascript code:

document.cookie = "PHPSESSID=; expires=Thu, 01 Jan 1970 00:00:00
        UTC;path=/;host=localhost";

In every case you can't delete cookie set by browser's. As PHP and javascript can only issue commands only to invalid the already set cookies present.

Only Way to Delete Cookie

• By the client himself.

• Direction to flush cookies and cache

• Uninstall the browser and then Re-Install it.

Recommendations to Achieve Purpose

Create a new php script and insert it on the top of login.php and in this script you check whether there are two PHPSessionId and if there are two then destroy all of them and reload the page. Until you reload the last cookie used before any event would be in-session. You must reload the page or redirect use:

Removing two PHPSESSID

 count=0;

 foreach($_COOKIE as $key => $value){
    if ( $key == "PHPSESSID" ){
       count++;
    }
 }
 if (count>1){
    //Destory all cookies here
    foreach($_COOKIE as $key => $value){
          setcookie($key,"",time()-3600,"/");
    }

    //Reload/redirect the current page to dispose of all things
    header("Locations:" . $your_url);
    exit(0);
 }

Now there would be only I session of PHPSESSID in every case

Answer 7

Lets go back to basics - Here is something that I believe you should try: Run your site. Keep a note of PHPSESSID. then close the browser completely, open the browser again, and then run your site. Check the PHPSESSID and see if it is the same.

If it is not same then it is not a cookie but a Session ID specific for the browser session. Second, if the PHPSESSID is the same as set the first time then it is a cookie and you 'will' be able to delete any key=>value pair set to the cookie resources. May be you are referencing something wrong in the JS or PHP code.

Please try this and revert with results. It will give a lot more clarity. Sessions, LocalStorage, IndexDB, Cookies all are different things and referenced differently.

Answer 8

You can change the cookie name for your new session using session_name() before session_start() and let the problem solve itself in a few days.

session_name("SESSION_ID");
session_start();

Answer 9

I would simply expire the cookie from /folder. This should leave you with only one session cookie for /

setcookie('PHPSESSID', '', time() - 86400, '/folder/');

Answer 10

I think you are mixing up things or you should go into more detail about your setup/problem.

PHP's session path is the location where session data is stored on your server, not the client. See the documentation: https://secure.php.net/manual/en/session.configuration.php#ini.session.save-path

You can move these files and replace/keep in case of collisions how you see fit. This is pretty much only restricted by read/write-permissions you have when accessing/moving stuff and your webserver-user (e.g. apache or nginx) or php-user has for reading/writing them from/to the new location.

If by "PHPSESSID in their browser" you mean the session id is part of your urls, that is a different PHP-setting, that should be disabled anyway, see notice in the documentation: https://secure.php.net/manual/en/session.configuration.php#ini.session.use-trans-sid

edit based on your updated question:

There already is a nice JS-based solution for expiring the old cookie. I would go with that. if you can't just do that, you could do a redirect to /cv have a php-script there that reads the cookie and stores the data somewhere (a database for example based on the user_id) and expire the cookie. Then you can redirect to the old page, look for the "/"-cookie and restore the data. It's a very ugly hack, but I don't think you can get the cookie for each path in PHP, since it's server side and based on the session id provided by the client (but I might be wrong).

Answer 11

If you send manually the header with new expiring date for desired path, the client should remove it.

session_start();
header("Set-Cookie:PHPSESSID=".session_id()."; expires=Sat, 07-Nov-1999 14:58:07 GMT; path=/cv/");

The first time, you have the old cookie path, but from the second page call only the cookie in path / will be stored and transmitted.

You can send this header when you know if the client is affected by this problem or having this for some month.

Answer 12

The solution will be let users go to /folder path for the duration of session expire time. On this path make php script for copying ALL COOKIES from /folder to / path by using setcookie function (http://php.net/manual/ro/function.setcookie.php)

foreach ($_COOKIE as $key => $value) {
    setcookie($key, $value, $expire, "/")
}
// redirect to "/" now. User will be able to login.

Additional explanation: cookies are tied to path and domain, its important (and by default its /, but it seems not in your case). So PHPSESSID from subpath (like /folder or /me) not accessible from parent. And they propagate from parent to child. So cookies from /me are the same as for / with there not assigned explicit.

Answer 13

You have to remove a cookie on the client side. This is possible with javascript.

Try this javascript on your site:

<script type="text/javascript">
     document.cookie = "PHPSESSID=;Path=/cv;expires=Thu, 01 Jan 1970 00:00:01 GMT;";
</script>

An example:

For this example is use the site https://developer.mozilla.org/en-US/.
If i load this site on the cookies there are the following entries Now I want to remove the cookie with name dwf_section_edit. To delete this cookie I set the expire date to the past. After I execute

document.cookie = "dwf_section_edit=;Path=/;expires=Thu, 01 Jan 1970 00:00:01 GMT;";

on the console, the cookie is away as you can see on the following image (i used the little refresh button on bottom left of the table because it is only temporary on this example)

On the next reload i get the cookie again in this example, because Mozilla give it back to me. On your site you don't have to create the old cookie again, and all is fine.

Answer 14

I guess your script does not know, which session should be accessed upon session_start();

Try to specify correct path for session using

ini_set('session.cookie_path', '/');

or

session_start(['cookie_path' => '/']);

depending on your setup

If that does not help, i would suggest using session_regenerate_id() that will replace the current session id with a new one, and keep the current session information.