I am working on an online ticket booking systems where after making successful booking(after payment) I want to clear the session id. But the thing is I am not able to clear it although I have used session_destroy()
to destroy the session.
NB: I have echoed the session_id to check if its reset or not.
URL: http://7sisters.in/7sislabs/
function book_final_tickets()
{
//var_dump($_SESSION);
$session_id = session_id();
$sql = "
UPDATE
tbl_seat_book
SET
final_book = 'Y'
WHERE
session_id = '$session_id'
";
//session_unset();
if($r = $this->db->executeQuery($sql)){
if(session_destroy()){
unset($session_id);
echo 'Booking successfull';
}
}
}
Instead of
session_destroy();
I'd rather do only a
session_regenerate_id(true);
and you will get a new session_id
session_destroy()
alone won't remove the client-side cookie, so the next time the user visits, they'll still have the same session id set (but their server-side session info will have been destroyed).From the docs (emphasis mine):
You can use
session_regenerate_id(true)
to generate a new session ID and delete the old one. Note that this will keep all of the information in$_SESSION
as part of the new session ID, so you still need to usesession_destroy
if you want to clear the session info and start fresh.e.g.
and the headers will show the session ID changing on the client-side:
(You can get away without the
setcookie()
call here, since you're creating a new session anyway, so the cookie will be overwritten by the new ID, but it's good practice to explicitly destroy the old cookie).Try this:
Call
session_id
beforesession_start
, and setsession_id
manually .Example 1: same session_id will be used
Example 2: set
session_id
manually (called beforesession_start()
)(A) != (B), so you can set session_id manually, see http://php.net/manual/en/function.session-id.php for more information.
Another solution, dont use session_id() , just create new session array:
After destroying the session with session_destroy(), this worked for me:
setcookie('PHPSESSID',"",time()-3600,'/');
The key for me was setting the path to '/'. That was the only way to really destroy the cookie.