Logout script not clearing $_session variables

aaron4osu · April 17, 2012, 1:24pm

I’m trying to use this php to clear out the session variables and return to the index page. However it’s not clearing them out. Any ideas?

logout.php


<?php
	session_start();
        unset($_SESSION['user_id']);
        unset($_SESSION['username']);
	session_destroy();
	header("Location: http://aaronhaas.com/pitchshark6/index.php?vid_id=1");
?>

then in my navigation I’m using this code to either display their username and a logout link to logout.php or if they are not logged in display a sign in link.


<?php
         // if logged in
	if (isset($_SESSION['user_id']))
	{
		// display
		echo "<a href='#'>".$_SESSION['username']."</a>&nbsp; &nbsp;";
		echo "<a href='scripts/logout.php'>Log Out</a>&nbsp; &nbsp;";
	}
        // if not logged in
	else
	{      // display login link
		echo "<a href='login.php'>Sign In</a>";
	}
?>

here is my super simple login script


$username = $_POST['username'];
$password = $_POST['password'];
			
//Check if the username or password boxes were not filled in
if(!$username || !$password){
	//if not display an error message
	echo "<center>You need to fill in a <b>Username</b> and a <b>Password</b>!</center>";
}else{
	// find user by username and password - working
	$userQuery = 'SELECT * FROM users WHERE user_name ='.'"'. $username.'" AND password='.'"'. $password.'"' ;
	$users = mysql_query($userQuery);

	$user = mysql_fetch_array($users);
	$_SESSION['user_id'] = $user['user_id'];
	$_SESSION['username'] = $user['username'];
	header("Location: http://aaronhaas.com/pitchshark6/index.php?vid_id=1");
	
	}

KyleWolfe · April 17, 2012, 3:50pm

Are you positive it is actually not clearing those session variables or is it possibly anothe rportion of your script that is failing. Do an echo of the session variables at the end of each script to make sure.

O-H!

jestep · April 17, 2012, 7:32pm

Make sure you have all error reporting on.

I would use:

session_start();
unset($_SESSION);

if (ini_get(“session.use_cookies”)) {
$params = session_get_cookie_params();
setcookie(session_name(), ‘’, time() - 42000,$params[“path”], $params[“domain”],$params[“secure”], $params[“httponly”]);
}

session_destroy();

system · April 18, 2012, 12:06pm

Put session_destroy(); at the right position after checking the result means checking all variable by echo and die.