2

I use the following codes to log users out from a web app. while logging in I set cookie email and password, but after logging out, visiting the home page automatically logs the user in again, probably because the cookie wasn't successfully destroyed. Please how do I get it right. Here is log out code

function log_out() {
   $old_user = $_SESSION['valid_user'];
   unset($_SESSION['valid_user']);
   unset($_SESSION['login']);
   unset($_SESSION['blog_addr']);
   $result_dest = session_destroy();

   setcookie('email', '');
   setcookie('pswd', '');

   if (!empty($old_user)) 
     if ($result_dest)
       return true;
     else 
       $msg = 'Could not log you out ';
   else 
        $msg = 'You have not been logged in so you are not logged out ';      
   return $msg;
}///:~
Improve this question
2
  • 1
    Please do not store people's passwords in their cookies. See stackoverflow.com/questions/1410901/… for better ways of doing the same thing. Commented May 10, 2011 at 19:26
  • from a security perspective, it's a really bad idea to store the password in a cookie. you may want to read over the two strategies here: static.springsource.org/spring-security/site/docs/3.0.x/…. (even though the docs are for a java package the principles are still very applicable!) Commented May 10, 2011 at 19:56

5 Answers 5

Reset to default
3

You need to set setcookie to an expiration date in the past. See the example here:

http://php.net/manual/en/function.setcookie.php

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

Try setting the cookie expiration for some time in the past:

setcookie ("email", "", time() - 3600);

Improve this answer

Comments

1

How did you set up your cookie? ( logging in ).

In general setting a cookie off , you have to go back in time !

setcookie("email", "",time()-3600,'/');
Improve this answer

Comments

1

In addition to other comments. You've set $_SESSION['valid_user']; to $old_user before you did an unset, so you should't be checking for $old_user as it contains the old data. you should't even need to set those to any variables. Also you should be using brackets.

function log_out() {
   unset($_SESSION['valid_user']);
   unset($_SESSION['login']);
   unset($_SESSION['blog_addr']);
   session_destroy();

   setcookie('email', '', time() - 3600);
   setcookie('pswd', '', time() - 3600);

   if (!isset($_SESSION['valid_user'])){
     if ($result_dest) // don't know what this does.
       return true;
     else 
       $msg = 'Could not log you out ';
   }
   else
        $msg = 'You have not been logged in so you are not logged out ';      
   return $msg;
}
Improve this answer

1 Comment

I think the session_destroy() function returns a bool, so the line if($result_dest) checks if the session was successfully destroyed. although I don't really see need for that.
0

Try to delete the cookies by doing this:

setcookie ("email", "", time() - 3600);
setcookie ("pswd", "", time() - 3600);

This will delete the cookies by setting their expiration date in the past.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.