i've configured wamp in my system, and am doing the development cum testing in this local environment. i was working on the logout functionality, and happened to notice that the session ids being generated are same within the browser.
Eg - chrome always generates session id = abc, for all users even after logging out and logging in; IE always generates session id = xyz, for all users.
Is this an issue with wamp/ my test environment?
please find below my logout php script -
<?php
session_start();
$sessionid = session_id();
echo $sessionid;
session_unset();
session_destroy();
?>
session_unset()
andsession_destroy()
do not delete the session cookie. You have to manually unset it with asetcookie()
call.session_unset is the converse of
session_register()
, and session_destroy simply cleans out $_SESSION without affecting the cookie.You probably still have the cookie with the old session ID in it as neither
session_unset
norsession_destroy
deletes that cookie:So use
setcookie
to invalidate the session ID cookie after logout:Another recommendation is to regenerate the session ID after successful authentication using
session_regenerate_id(true)
.Will work. Please try this
Taken from http://php.net/manual/en/function.session-destroy.php
To stop session hijacking follow the below code in PHP
You must regenerate the session id using function
session_regenerate_id()
. Without that, the session ID would be the same between page refreshes.