Session/Cookies Question

[chop]

As i look at the cookies on my web browser, I notice that the PHPSESSID does not get deleted after I have logged out. The logout script contains:

 

$_SESSION = array(); // Clear the variables.
session_destroy(); // Destroy the session itself.
setcookie ('PHPSESSID', '', time()-3600, '/', '', 0, 0); // Destroy the cookie.

 

Shouldn't the third line here do that?

 

According to page 356, this line:

"...sends a cookie to replace the existing session cookie in the browser"

 

However, the content of the cookie (9580067fe06d9b5c25c89e1c230b062a) remains the same.

 

ALSO (while I'm on the subject):

While I have sessions going in my browser, I will go to a PayPal page and "buy something". When I return to my own site after completing the PayPal purchase, I find that the session values are still intact (that's good) and still have access to the original "user_id" etc. I'm unclear, really, about how a session ends other than by coding it such as in "session_destroy". Obviously, going to another page and back doesn't do it.

 

Thanks for clarifying this for me.

[Larry]

That setcookie() line should destroy the cookie. One possible reason why it wouldn't is that it's not using the same parameters as the setcookie() line that created it.

 

Going to another site does not clear your session. There are only two ways of clearing a session:

- Programmatically, using the code explained in the book

- Over time. For example, eventually the cookie expires in the browser and eventually garbage collection on the server will get rid of the stored data.

It'd actually be a bad thing if just going to another site cleared a session, as your e-commerce example with PayPal would fail if that were true.

[chop]

Thank you for clearing that up.

 

I have a (vaguely) related question that I will post in the Effortless E-Commerce forum regarding "Using IPN" in a Paypal situation.