4 replies to this topic

[Demonslay]

Now I just don't get this.
I'm working on a user system, it uses cookies and session data combined.
I'm working on the logout part.

This is the function that came with the script (it's from a tutorial, I've modded most of it a bit and such).

//Destroy all sessions and cookies
function logout()
{
	session_destroy();
	setcookie('username', $username, time()-15000);
	setcookie('password', $password, time()-15000);
	return true;
}

$username and $password are given by session data and such using a user_data() function and such.
When the login script it pointed to the action of logout, it simply calls this function.

When I access the page, I then look in my cookies, and they are still there with the full data (username, full md5 hashed password). I also go to any pages such as the admin control panel (which is non-accessible with anyone without authorization level clearence), they let me in without question.
Not a fault with the authentication, if I remove them manually, they work fine.

Some reason it seems this just isn't erasing the cookies. I've ensured the function is working, by putting it in an if statement, and having it return false.

I've tried using the $_COOKIE variables and setting them to '' or FALSE, to no avail. Tried setting the cokies above as FALSE and '' strings; no avail.
I know it isn't a header issue, as I have ob_start on my index page, and even if that were an issue, setcookie() would return FALSE and kill the function with an error of some sort, as I have tested with more if statements.
I also used print_r() and it gives me the following.

Array ( [PHPSESSID] => *session data censored* [cprelogin] => no [username] => [password] => )

What the heck?

I've doublechecked all my Firefox settings, and they are set to respect the expiration date and stuff, but the cookies still exist on my hard drive.

Any ideas? Here's the page by the way.
I'll set up a dummy user for anyone who would be so kind as to test for themselves and see if it's just me. User and pass are both 'test'. Once you've logged in, try and logout, then go back to the login page (link will be under the logged out text).

Edited by Demonslay, 30 August 2006 - 09:20 PM.

[Matthew.]

Im not reading all that at nearly 4am but have you tried just using unset?

unset($_COOKIE['username']); etc instead of just misusing the duration? at, the cookies arent beign removed (try using java script:alert(document.cookie) and see.)

You may have done this, but i aint reading lol!

Edited by .Matt, 30 August 2006 - 09:28 PM.

[Demonslay]

Lol, sorry, I hate it when people don't give enough description to the problem, so I tend to go overboard.

Go idea, hadn't thought of it, thought it was discouraged by php.net.
Still though, didn't work. =\

I just don't get why this isn't working, it's worked for me before.
Then again, I've had this kind of problem on another site, where if the cookie deletion is done when someone accesses the login form again or something, it doesn't work. Yet, just a general logout using this exact same thing works...
I have this same method used for the admin logout on this same site, and it works fine...

I just don't get why print_r() shows no cookie values, yet they are apparently they are there as I physically see them on my hard drive, and other scripts are saying they exist.

Edited by Demonslay, 30 August 2006 - 09:41 PM.

[Ruben K]

Make sure you use a common cookie domain or path when setting or deleting your cookies!

For example:

Quote

setcookie('username', $username, time()-15000, '/')

Add this to all setcookie() uses in the script

Edited by Ruben K, 31 August 2006 - 02:53 AM.

[Demonslay]

Hey, what do you know, that works.
Normally doesn't it default to that? Also on the cookie itself, when I viewed it in Firefox options, said the directory for use already was '/'.
Rewrite Rules can really mess ya up I guess.

Thanks, now I just have to see why my admin control isn't letting me in even with the right user level, lol.
I'm going to upgrade the whole thing to work more like IPB's when I find a tutorial to help me better understand how that works in the first place. :wacko: