I am trying to figure out the proper way to completely log out any current Users.
I have a Registration Form, and before I start working with the $_SESSION variable for the person registering on my website, I want to be 100% certain that any $_SESSION variables on the server or any Session Cookies that might be leftover on the current User’s computer are erased, so nothing gets cross-pollinated!!
I have been looking at the PHP Manual, but there seem to be a couple of functions and approaches, and I’m not sure what the correct way to do things is?!
(Security and privacy are really important to me, and since my website will also have an e-commerce module, I need to make sure I understand the right way to go about logging out Members so no one gets hurt!!)
All you should need to do is just destroy the session. If the browser can’t find the session ID on the server, the browser can’t do anything with a session (and session token) that no longer exists.
As for cookies, are you setting an expiration on them when you use [I]setcookie()?
[/I]To kill a cookie entirely, set the expiration date for yesterday.
So, everything together:
setcookie("mycookie", "", time()-3600);
Remember, this is for a Registration Form, so the following needs to happen…
1.) Destroy any existing Session Variables on the server
2.) Destroy any existing Sessions on the server
3.) Destroy any Session Cookies on the client
4.) Create a new Session for the person Registering
5.) Store necessary data in Registering User’s Session to complete Registration.
I’m not sure if I have to start a session, kills a session, and then start a new session all in the same script or what?!
What I have now seems to work, but logically when I read it it doesn’t make sense. (I can post it here if that helps?!)
So I figured I better ask the experts for help (again)!!
I’m just curious, I know my registration system a new user doesn’t get his/her information placed into $_SESSION[‘user’], so that person isn’t logged into the system in the first place.