How do I delete PHPSESSID on client computers

Asked 4/11, 2015 at 9:24 Answered 9/7 at 15:56

php session

UPDATE ON THE PROBLEM:

On some browsers, we have two PHPSESSIDs.
One PHPSESSID is not set by me anywhere in my script
It has HOST (instead of DOMAIN for the PHPSESSID I set) as www.mywebsite.com
I have tried deleting it using setcookie: setcookie ("PHPSESSID", $_COOKIE['PHPSESSID'], time() - 864000, '/', 'www.mywebsite.com'); but this fails.
An attempt to delete cookie using: setcookie ("PHPSESSID", $_COOKIE['PHPSESSID'], time() - 864000, '/'); results in the PHPSESSID I set being deleted.
I have tried using session_name to rename the SESSION I set. This works but crashed my server severally after some minutes.
I am out of options.

I am working with PHP sessions on my website.

The session path was /folder, later on I changed to / to fit the new purpose.

Now, old users cant login.

It seems they now have two PHPSESSIDs stored on their browsers - one with path /folder and the other /.

What can I do to ensure that old users can login while ensuring that the session is sitewide with "/".

MORE INFORMATION

When I said two phpsessionid, refer to the image

The login works if I use

A. session_set_cookie_params(864000, '/cv', '.website.com', 0, 1);

but fails to work if I use:

B. session_set_cookie_params(864000, '/', '.website.com', 0, 1);

If I use Version 2A above, the session will only be available in /cv and not be available in other website folders eg. /folder.

UPDATE ON DELETING PHPSESSID WITH JAVASCRIPT

When I run alert(document.cookie), it shows all cookies except the PHPSESSID
Hence all attempts to delete the PHPSESSID cookie fails, whereas other cookies can be deleted.

UPDATE ON DELETING PHPSESSID WITH PHP

When I var_dump($_COOKIE['PHPSESSID']); what is returned is the value of the PHPSESSID with path /cv
An attempt to delete with setcookie ("PHPSESSID", "", time() - 3600); fails.

Missive answered 4/11, 2015 at 9:24 Comment(10)

I would just simply log everyone out and assign the new session for the users since the damage has already been done. – Dunderhead 4/11, 2015 at 9:26

How will this delete one of the SESSIONIDs already stored on the client's computer? It seems it continually picks the first and the old SESSIONID to work with. – Missive 4/11, 2015 at 9:29

since everyone will start fresh so assume they will automatically pick the newer session, just my thought – Dunderhead 4/11, 2015 at 9:36

You could go through the process of adding a few lines of code to manually saving the session data in a new custom folder (using session.savepath, etc), so the standard session data in /cv can be manually saved in / with an include for instance, but this is a big hassle for something that you should just let people re-login, as their sessions will expire when their browser closes anyway.... they're not the same as cookies – Corm 4/11, 2015 at 12:38

I have set the session location, but this does not solve it. The sessions persists even after the browser has been closed. – Missive 4/11, 2015 at 13:29

AFAIK, PHPSESSID is just a cookie whose sole purpose is to identify the current session. When you start the session, PHP automatically sends this cookie to the client and uses its value to identify which $_SESSION data belong to this client. Since you now configured your PHP to use a cookie with / path, I believe the cookie with /cv path should get deliberately ignored. Even if not, you can simply unset it if it's present. It should then never again be created. – Vehemence 6/11, 2015 at 12:30

Does $_SESSION = array(); session_destroy(); not affect it? – Intensify 6/12, 2015 at 19:46

Can you pls explain how your login works and how it relates to the session_id ? – Blois 10/12, 2015 at 12:9

@OguguaBelonwu Pls check my answer and let me know if you are successful to delete the SESSIONID. I was successful while testing. – Blois 10/12, 2015 at 12:25

I use PHP's start_session(); in my website which stores a cookie called PHPSESSID with the value being some hxadecimal number. This cookie is readable by JS (my self-made cookie editor can show it) but any attempt to change it just creates a second one with the same name which has the changes, so when trying to expire it it there's effectively no change. Is that the same problem you have? Also, I can't find PHPSESSID in cookies.sqlite in my Firefox profile, so I have literally no clue how to get rid of it. – Saturninasaturnine 2/7, 2023 at 19:11

I think you are mixing up things or you should go into more detail about your setup/problem.

PHP's session path is the location where session data is stored on your server, not the client. See the documentation: https://secure.php.net/manual/en/session.configuration.php#ini.session.save-path

You can move these files and replace/keep in case of collisions how you see fit. This is pretty much only restricted by read/write-permissions you have when accessing/moving stuff and your webserver-user (e.g. apache or nginx) or php-user has for reading/writing them from/to the new location.

If by "PHPSESSID in their browser" you mean the session id is part of your urls, that is a different PHP-setting, that should be disabled anyway, see notice in the documentation: https://secure.php.net/manual/en/session.configuration.php#ini.session.use-trans-sid

edit based on your updated question:

There already is a nice JS-based solution for expiring the old cookie. I would go with that. if you can't just do that, you could do a redirect to /cv have a php-script there that reads the cookie and stores the data somewhere (a database for example based on the user_id) and expire the cookie. Then you can redirect to the old page, look for the "/"-cookie and restore the data. It's a very ugly hack, but I don't think you can get the cookie for each path in PHP, since it's server side and based on the session id provided by the client (but I might be wrong).

Tungting answered 4/11, 2015 at 10:52 Comment(1)

Session path as stated in question is not about session physical location, but about session cookie ("Path on the domain where the cookie will work. Use a single slash ('/') for all paths on the domain."). see php.net/manual/en/function.session-set-cookie-params.php – Dollar 6/11, 2015 at 12:48

I would simply expire the cookie from /folder. This should leave you with only one session cookie for /

setcookie('PHPSESSID', '', time() - 86400, '/folder/');

Multifoliate answered 6/11, 2015 at 23:4 Comment(0)

You can change the cookie name for your new session using session_name() before session_start() and let the problem solve itself in a few days.

session_name("SESSION_ID");
session_start();

Dispenser answered 11/11, 2015 at 15:18 Comment(7)

Read guidelines and then answer. – Temporize 11/11, 2015 at 15:27

You are having more than 50 reputation why you are unable to comment ?? – Temporize 12/11, 2015 at 3:7

Your answer is very good. I think the fact that you are presenting it as a question is the problem @PrafullaKumarSahu is evocating. You should edit your answer in order to make it an affirmative answer (not a question) and give an example – Melee 12/11, 2015 at 8:21

This is a very good solution but it crashes my server. It seems that some browsers set a PHPSESSID immediately the website is opened and my session.auto_start is 0. This PHPSESSID has "HOST" as "www.website.com". This now conflicts with the PHPSESSID I set. – Missive 3/12, 2015 at 16:43

The goal of this method is to use another name for the session. If you named it "SESSION_ID" instead of "PHPSESSID", you can't have any conflict including any previously opened session with another session name. – Melee 4/12, 2015 at 8:48

@Melee This solution solves the problem but crashes my server. – Missive 10/12, 2015 at 17:27

@OguguaBelonwu How crashes? Server meaning your php process, your webserver or the operating system? Is there any log? – Dispenser 10/12, 2015 at 17:57

You have to remove a cookie on the client side. This is possible with javascript.

Try this javascript on your site:

<script type="text/javascript">
     document.cookie = "PHPSESSID=;Path=/cv;expires=Thu, 01 Jan 1970 00:00:01 GMT;";
</script>

An example:

For this example is use the site https://developer.mozilla.org/en-US/.
If i load this site on the cookies there are the following entries Now I want to remove the cookie with name dwf_section_edit. To delete this cookie I set the expire date to the past. After I execute

document.cookie = "dwf_section_edit=;Path=/;expires=Thu, 01 Jan 1970 00:00:01 GMT;";

on the console, the cookie is away as you can see on the following image (i used the little refresh button on bottom left of the table because it is only temporary on this example)

On the next reload i get the cookie again in this example, because Mozilla give it back to me. On your site you don't have to create the old cookie again, and all is fine.

Perkoff answered 6/11, 2015 at 13:1 Comment(2)

When I run alert(document.cookie), the PHPSESSID cookie is not listed. Since the PHPSESSID is not listed, the delete cookie does not delete the PHPSESSID cookie. Whereas, the PHPSESSID can still be seen in the console. – Missive 7/11, 2015 at 7:15

If it is not listed it means it is not there :) – Raylenerayless 8/12, 2015 at 0:29

I guess your script does not know, which session should be accessed upon session_start();

Try to specify correct path for session using

ini_set('session.cookie_path', '/');

session_start(['cookie_path' => '/']);

depending on your setup

If that does not help, i would suggest using session_regenerate_id() that will replace the current session id with a new one, and keep the current session information.

Dollar answered 6/11, 2015 at 12:42 Comment(0)

The solution will be let users go to /folder path for the duration of session expire time. On this path make php script for copying ALL COOKIES from /folder to / path by using setcookie function (http://php.net/manual/ro/function.setcookie.php)

foreach ($_COOKIE as $key => $value) {
    setcookie($key, $value, $expire, "/")
}
// redirect to "/" now. User will be able to login.

Additional explanation: cookies are tied to path and domain, its important (and by default its /, but it seems not in your case). So PHPSESSID from subpath (like /folder or /me) not accessible from parent. And they propagate from parent to child. So cookies from /me are the same as for / with there not assigned explicit.

Printery answered 6/11, 2015 at 14:23 Comment(0)

If you send manually the header with new expiring date for desired path, the client should remove it.

session_start();
header("Set-Cookie:PHPSESSID=".session_id()."; expires=Sat, 07-Nov-1999 14:58:07 GMT; path=/cv/");

The first time, you have the old cookie path, but from the second page call only the cookie in path / will be stored and transmitted.

You can send this header when you know if the client is affected by this problem or having this for some month.

Tetanus answered 6/11, 2015 at 15:24 Comment(0)

Yeah, you need to set the cookie time to a negative value so the browser can delete it, in adition we set the stored value to empty string which also helps to delete the same cookie...

This (a the top of your page) would do, just be sure to session_start() first:

setcookie('PHPSESSID', '', -3600, '/cv');

This works flawlessly on all my domains, I had this problem once.

Radiograph answered 9/12, 2015 at 20:54 Comment(0)

You can remove it by setting it with a previous time for it to expire:

setcookie('phpsessid','value',time()-1);

Enlarger answered 10/12, 2015 at 10:56 Comment(0)

Just provide the 4th argument when calling setcookie function :

setcookie ("PHPSESSID", "", time() - 3600, '/');

Explanation

The 4th argument of the setcookie() function is $path of the session to be set. And for this, "The default value is the current directory that the cookie is being set in.". (See : http://php.net/manual/en/function.setcookie.php.) So if you are calling this function from a file locating in folder "/folder", it will try to delete a cookie from that folder only. By setting the $path to "/" we are telling the function to delete the session_id from the root directory.

I have tested it and it deleted the PHPSESSID from the cookie successfully.

Labrador answered 10/12, 2015 at 12:22 Comment(0)

It is mentioned here, though Use of session_register() is deprecated and Use of $_SESSION is preferred : -

If session_start() was not called before this function is called, an implicit call to session_start() with no parameters will be made. $_SESSION does not mimic this behavior and requires session_start() before use.

Then, using $_SESSION , append a JSON file with Auth=True, with TimeOut=20 minutes.
Whenever, user logs out or after timeout, set Auth=False. Then, read that JSON file using PHP and

Then, if Auth=False, create JS using PHP that OnLoad event, document.cookie = 'PHPSESSID' + '=;expires=Thu, 01 Jan 1970 00:00:01 GMT;';

Antiar answered 10/3, 2018 at 6:59 Comment(0)

You can try this. It works for me.

    if (isset($_COOKIE['PHPSESSID'])) {
        unset($_COOKIE['PHPSESSID']);
        setcookie('PHPSESSID', '', -1, '/');
    }

Featherstone answered 9/7 at 15:56 Comment(0)

-1

Lets go back to basics - Here is something that I believe you should try: Run your site. Keep a note of PHPSESSID. then close the browser completely, open the browser again, and then run your site. Check the PHPSESSID and see if it is the same.

If it is not same then it is not a cookie but a Session ID specific for the browser session. Second, if the PHPSESSID is the same as set the first time then it is a cookie and you 'will' be able to delete any key=>value pair set to the cookie resources. May be you are referencing something wrong in the JS or PHP code.

Please try this and revert with results. It will give a lot more clarity. Sessions, LocalStorage, IndexDB, Cookies all are different things and referenced differently.

Clinandrium answered 8/12, 2015 at 9:46 Comment(6)

Thanks Gary. Normally, I do not experience the problem on my computer and as you directed, the PHPSESSID changes each time I close the browser and reopen on my computer. On some other computers and browsers it maintains two PHPSESSIDs instead . – Missive 8/12, 2015 at 11:10

Technically, there cannot be two same key=>value pairs registered in a browser cookie resource area. I have seen these kinds of issues with JS variables in browser memory due to lazy garbage collection methods of browsers. But not in case of cookies, since garbage collection should not make a difference to cookies. Sessions are destroyed immediately when tab/browser closes. Garbage collection may also not impact Sessions since they are destroyed - not sure though. – Clinandrium 8/12, 2015 at 11:35

Sessions are destroyed when every tab/browser is destroyed where as cookies are not. There is an option clear cache/cookies when browser closes. Remove that, and then 1) close the tab and see results and 2) close the browser and see results. Check whether it is a session or cookie. The point that it does not show PHPSESSIDs in js cookie lists hints toward setting of sessionid and not cookie. – Clinandrium 8/12, 2015 at 11:36

If it is a cookie, you will be able to manipulate it as above from js or php setting the cookie to null (or change the expiry date to previous date). – Clinandrium 8/12, 2015 at 11:43

Dont forget your PHPSESSID is being set at '/cv' and '/' so they are not the same cookies (if they are not cookies reflecting sessions and copying the id from sessionid). – Clinandrium 8/12, 2015 at 11:48

Can you also put the complete code of setting and removing the sessions/cookies please? That should be the problem. Do also try the session_regenerate_id since your cookies are not being deleted (and seems they are storing your sesionid in cookies) after session_destroy and see if it works. Was researching when I came across these. The second one might help, #15568380 and deleting a cookie #2242269 – Clinandrium 10/12, 2015 at 11:28

-2

You cannot Delete Cookie of Cleint Browser's

First thing you have to understand that you cannot delete the COOKIES on client systems by any means. When you invalid then browser doesn't delete it, but makes the cookie unvalid. The cookie is still there on the clients system. But the browser just ignores it. In order to delete it the client must do it themselves.

To invalid all sessions you can use

session_start(); // initialize session
session_destroy(); // destroy session
setcookie("PHPSESSID","",time()-3600,"/"); // delete session cookie

or javascript code:

document.cookie = "PHPSESSID=; expires=Thu, 01 Jan 1970 00:00:00
        UTC;path=/;host=localhost";

In every case you can't delete cookie set by browser's. As PHP and javascript can only issue commands only to invalid the already set cookies present.

Only Way to Delete Cookie

By the client himself.
Direction to flush cookies and cache
Uninstall the browser and then Re-Install it.

Recommendations to Achieve Purpose

Create a new php script and insert it on the top of login.php and in this script you check whether there are two PHPSessionId and if there are two then destroy all of them and reload the page. Until you reload the last cookie used before any event would be in-session. You must reload the page or redirect use:

Removing two PHPSESSID

 count=0;

 foreach($_COOKIE as $key => $value){
    if ( $key == "PHPSESSID" ){
       count++;
    }
 }
 if (count>1){
    //Destory all cookies here
    foreach($_COOKIE as $key => $value){
          setcookie($key,"",time()-3600,"/");
    }

    //Reload/redirect the current page to dispose of all things
    header("Locations:" . $your_url);
    exit(0);
 }

Now there would be only I session of PHPSESSID in every case

Literary answered 8/12, 2015 at 8:15 Comment(7)

I put the code to invalidate all SESSIONS in the login.php. Ordinarily, for the login.php to run till the place I inserted the code, it means that you are not logged in. But it seems the browser generates a new SESSIONID each time and am unable to login. – Missive 8/12, 2015 at 11:7

PHPSESSID is the default cookie it would be generated by PHP for every new session request. PHPSESSID cookie is not created by Browser. What really you want to achive – Literary 8/12, 2015 at 11:20

On some clients' computers we have two PHPSESSIDs and they cannot login. – Missive 8/12, 2015 at 11:27

Hope this would resolve the issue of two PHPSESSID's – Literary 8/12, 2015 at 11:38

Let me know if the things are not sucessful – Literary 8/12, 2015 at 11:47

Your code only expires cookies in the / path. The question states he has cookies in other subfolders as well – Multifoliate 8/12, 2015 at 13:39

Ya i have suggested a way but he has walk on that by himself – Literary 8/12, 2015 at 17:17

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

You cannot Delete Cookie of Cleint Browser's

Only Way to Delete Cookie

Recommendations to Achieve Purpose

Recommended topics

Hot tags