PHP session_destroy() isn't working

Question

This is frustrating, I've been working with PHP Sessions for a long time and haven't had this problem until now. I'm working on a basic login/logout script using PHP.

Here's what I have for my logout script.

logout.php

<?php
     session_start();
     unset($_SESSION['email']);
     session_destroy();
     header("Location:login.php"); 
?>

And therefore my login.php script has the following code:

login.php

// I send the user to logged_in.php if the session already exists.
if(isset($_SESSION['email'])) header("Location:logged_in.php");

if(pass and username are correct){
    $_SESSION['email'] = $email;
    session_write_close();
    header('Refresh: 1; logged_in.php');
}

Now when I login and I'm redirected to logged_in.php page, form there when I go to logout.php page, instead of being redirected to login.php it goes back to logged_in.php.

Which means that when it arrives to login.php the session still exists and it enters the following if statement in login.php

if(isset($_SESSION['email'])) header("Location:logged_in.php);

Answer 1

Try something like that:

session_start();

// I send the user to logged_in.php if the session already exists.
if(isset($_SESSION['email'])) header("Location:logged_in.php");

if(pass and username are correct){
    $_SESSION['email'] = $email;
    session_write_close();
    header('Refresh: 1; logged_in.php');
}

Answer 2

session_regenerate_id(true) worked for me. I was having the same issue before. It appears that some browsers do not properly delete the session cookie while they are active. Regenerating the ID gives you a fresh session, though you should still of course delete your old session as you have. I'm not quite sure if this is a fix or a workaround, but it works. session_regenerate_id will create a new session variable and delete the old one if you set the parameter to true.