can't destroy sessions

I've this code I've included in ALL my pages:

session_cache_limiter('private, must-revalidate');
if(!session_is_registered("ID")){
if(!session_id())
session_start();
$UserID = 0;
if (isset($_SESSION["ID"]) and $_SESSION["ID"] > 0){
showmessage($_SESSION["ID"]);
$UserID = $_SESSION["ID"];
}
}

but not in the "logout.php" wich is this code:
session_start();
$_SESSION["ID"] = 0;
unset($_SESSION["ID"]);
session_unset("ID");
session_unregister("ID");
session_destroy("ID");
header("Location: index.php");

I can logout without any problem, but when I log again, any user/pass works,
so I suspect the session to be recreated as the session ID is always the
same. Where is the problem ???? why the session is recreated ?

Bob

re: can't destroy sessions

Bob Bedford wrote:
[color=blue]
> I've this code I've included in ALL my pages:
>
> session_cache_limiter('private, must-revalidate');
> if(!session_is_registered("ID")){
> if(!session_id())
> session_start();
> $UserID = 0;
> if (isset($_SESSION["ID"]) and $_SESSION["ID"] > 0){
> showmessage($_SESSION["ID"]);
> $UserID = $_SESSION["ID"];
> }
> }[/color]

Hi Bob,

Does that code actually work?

The following part misses {}
[color=blue]
> if(!session_id())
> session_start();
> $UserID = 0;[/color]


[color=blue]
>
> but not in the "logout.php" wich is this code:
> session_start();
> $_SESSION["ID"] = 0;
> unset($_SESSION["ID"]);
> session_unset("ID");
> session_unregister("ID");
> session_destroy("ID");
> header("Location: index.php");
>
> I can logout without any problem, but when I log again, any user/pass
> works, so I suspect the session to be recreated as the session ID is
> always the same. Where is the problem ???? why the session is recreated ?[/color]

maybe you have session.auto_start = 1 in your php.ini?
[color=blue]
>
> Bob[/color]

My advise to you would be to redo your code.
I find this the easiest way:
1) leave session.auto_start = 1
This way you don't have to woory about starting sessions, they are always
there.

2) use the following code to check if a user is logged in:
if (!isset($_SESSION["isloggedin"]){
// user is not logged in, send where you want him to go
header("Location: login.php");
exit;
}


3) If a user logs in, you first check the user/pass (against your database I
guess).
so something lke this:
if (user/pass is accepted){
$_SESSION["isloggedin"] = "Y";
// and maybe:
$_SESSION["userid"] = <from database>;
}


Regards,
Erwin Moller

re: can't destroy sessions

> Hi Bob,[color=blue]
>
> Does that code actually work?
>
> The following part misses {}
>[color=green]
>> if(!session_id())
>> session_start();
>> $UserID = 0;[/color][/color]
I only start Session if the session_id isn't set. Why they are missing {}In
any case I set $UserID = 0;

[color=blue][color=green]
>>
>> but not in the "logout.php" wich is this code:
>> session_start();
>> $_SESSION["ID"] = 0;
>> unset($_SESSION["ID"]);
>> session_unset("ID");
>> session_unregister("ID");
>> session_destroy("ID");
>> header("Location: index.php");
>>
>> I can logout without any problem, but when I log again, any user/pass
>> works, so I suspect the session to be recreated as the session ID is
>> always the same. Where is the problem ???? why the session is recreated ?[/color]
>
> maybe you have session.auto_start = 1 in your php.ini?[/color]
No, session.auto_start = 0
[color=blue][color=green]
>>
>> Bob[/color]
>
> My advise to you would be to redo your code.
> I find this the easiest way:
> 1) leave session.auto_start = 1
> This way you don't have to woory about starting sessions, they are always
> there.[/color]
I can't modifiy php.ini settings. My provider doesn't allow it !
[color=blue]
>
> 2) use the following code to check if a user is logged in:
> if (!isset($_SESSION["isloggedin"]){
> // user is not logged in, send where you want him to go
> header("Location: login.php");
> exit;
> }[/color]
It's actually what I'm trying to do when checking ( if
(isset($_SESSION["ID"])) as this ID should only be created once the
user/pass is valid.
[color=blue]
>
> 3) If a user logs in, you first check the user/pass (against your database
> I
> guess).
> so something lke this:
> if (user/pass is accepted){
> $_SESSION["isloggedin"] = "Y";
> // and maybe:
> $_SESSION["userid"] = <from database>;
> }[/color]
Actually I set the $_SESSION["ID"] the same way you set your userid. If this
value is 0, then the user didn't log, otherwise he did.

It seems that every time I do session_start(), the old session is created
again. I can't permanently remove it.

Bob

re: can't destroy sessions

"Bob Bedford" <bedford1@YouKnowWhatToDoHerehotmail.com> wrote in
news:417cfc0e$0$28020$5402220f@news.sunrise.ch:
[color=blue]
> I can't modifiy php.ini settings. My provider doesn't allow it ![/color]

none at all? there are many that can normally be set specifically for
your site, by changing them on one of your pages, so it only affects your
site. It will not mess with the php.ini file. an example would be storing
all your session files in one of your own folders, not the host catch-all
(I think that setting is part of it anyway). Its an easy way to check out
if when you shutdown the browser and restart if the original session file
is still there because you have direct access to them. Check out the
manual.

also, when you log out, set your session to array(), not 0. then unset
and destroy it.

your 'private' header is there for IE mainly, include all of these as
well in your session include file - I dont understand them all but
several of the validation samples I checked out use them. so when in
Rome.....

//ensure page does not store in cache to force reloading everytime
header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
header('Cache-Control: no-store, no-cache, must-revalidate');
header('Cache-Control: post-check=0, pre-check=0', FALSE);
header('Pragma: no-cache');
header("Cache-control: private"); fix for IE6.

cheers