Geek Answers Handbook

How to disable PHP session cookie?

I am writing PHP code where I want to pass the session identifier myself using POST. I do not want the cookie to save the session, as it should be lost when the user exits the POST loop.

PHP automatically sets a cookie where it is available. I found out that you can change this behavior by setting session.use_cookies to 0 in php.ini . Unfortunately, I do not have access to this file, and I also do not want to violate the behavior of other scripts running on the same server.

Is there a way to disable or invalidate session cookies inside a PHP script?

EDIT:. Since the proposed solutions do not work for me, I used $ _SESSION = array () in positions in the code, where I found that the session must be invalid.

+6
php session
source share
6 answers

err you can override the default settings of your host by creating your own .htaccess file, and here is a great tutorial if you havenโ€™t touched it yet http://www.askapache.com/htaccess/apache-htaccess.html

or if you are too lazy to learn just create a ".htaccess" file (yes, what a file name) in the directory of your sites and put the following code

 SetEnv session.use_cookies='0';
+6
source share

Use ini_set () :

 ini_set('session.use_cookies', '0');

Or in the php.ini file:

 session.use_cookies = 0
+28
source share

You can also set this parameter in .htaccess so that it applies to all scripts, otherwise you need to make sure that the code is called for each request.

Eg.

php_value session.use_cookies 0

+2
source share

If you just need to complete a session at a specific point in time, use session_destroy (). If you want to completely end the session, here the fragment is copied / pasted directly from the documentation:

 // Initialize the session. // If you are using session_name("something"), don't forget it now! session_start(); // Unset all of the session variables. $_SESSION = array(); // If it desired to kill the session, also delete the session cookie. // Note: This will destroy the session, and not just the session data! if (isset($_COOKIE[session_name()])) { setcookie(session_name(), '', time()-42000, '/'); } // Finally, destroy the session. session_destroy();
+2
source share

I am having problems with PHP's documented approach to killing a cookie session.

 // If it desired to kill the session, also delete the session cookie. // Note: This will destroy the session, and not just the session data! if (ini_get("session.use_cookies")) { $params = session_get_cookie_params(); setcookie(session_name(), '', time() - 42000, $params["path"], $params["domain"], $params["secure"], $params["httponly"] ); }

This caused me to see the cookie twice:

 Set-Cookie: SESSION_NAME=deleted; expires=Sat, 08-Jan-2011 14:09:10 GMT; path=/; secure Set-Cookie: SESSION_NAME=1_4f09a3871d483; path=/

As stated in the PHP comments, setting a cookie value for something other than empty ('') eliminates the โ€œdeletedโ€ value, but the second cookie remains.

To get rid of this, I had to add the code suggested above:

 ini_set('session.use_cookies', '0');

I did not look at the source of session processing, but I think that setcookie (...) bypasses the session module, so the sessions do not know what I called it. This way it sets the cookie by default after I set up the remote cookie.

I tested mac: PHP 5.3.6 with Suhosin-Patch (cli) (built: Sep 8, 2011 19:34:00)

+1
source share

The way to do this is to set up sessions yourself.

In the central include file, which includes all your other files (you have one of them, right?), You need to do a few things already in practical terms.

 if( !array_key_exists('sessionid', $_POST) ) { // recreate the sessionid $sessionid = md5(rand().' '.microtime()); // Or something } else { $sessionid = $_POST['sessionid']; session_id($sessionid); session_start();

Now you should remember that as soon as you run the form, you need to include:

 <input type='hidden' name='sessionid'><?= session_id() ?></input>
-2
source share

More articles:


All Articles