close ad
 
Important WebAssist Announcement
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

Clear browser session cookies on logout

Thread began 4/11/2022 6:45 am by Mags | Last modified 4/13/2022 1:31 pm by Ray Borduin | 584 views | 10 replies |

Mags

Clear browser session cookies on logout

Hi Ray, another issue picked up in my client's recent pen test was that "Session cookie was not changed when signing in and out of the application." At the moment it looks like the session cookie is only cleared when you close the browser, but it should clear when the user logs out. I've attached a copy of the login page, can you advise how I would change this?

Another thing they mention is "Session cookie was not validated against the web server database to confirm it was valid" - any idea how I could do this?

Sign in to reply to this post

Ray BorduinWebAssist

Can I get a copy of the logout page? That is the page that I think needs to be updated.

Sign in to reply to this post
Did this help? Tips are appreciated...

Mags

Yes, have attached it here.

Sign in to reply to this post

Ray BorduinWebAssist

Try adding this after line2 on the logout page:

session_destroy();

I think that will clear the session cookie.

Sign in to reply to this post
Did this help? Tips are appreciated...

Mags

Didn't make any difference unfortunately - the PHPSESSID is still saved in the browser after logging out.

Sign in to reply to this post

Ray BorduinWebAssist

Maybe try:

@session_start();
session_regenerate_id(true);
session_destroy();
session_commit();
session_start();



If that doesn't work, then you could try also adding:

if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
Sign in to reply to this post
Did this help? Tips are appreciated...

Mags

I added all the lines and it still doesn't clear the PHPSESSID info. I wonder if this is related to the other issue covered in my other posthttps://www.webassist.com/forums/posts.php?pid=234428 ?

Sign in to reply to this post

Ray BorduinWebAssist

No it isn't related. I'm not even sure why this is an issue that would need to be addressed.

The phpsessid doesn't change? Does it get set to a new value?

Sign in to reply to this post
Did this help? Tips are appreciated...

Mags

I've added details in the PM of what the pen test report says in relation to session management. The PHPSESSID doesn't change when I logout - have attached two screenshots of what Chrome lists when logged in, and when logged out - both are identical I think.

Sign in to reply to this post

Ray BorduinWebAssist

For some of the issues you would have to update your php.ini file and add:

php_value session.cookie_httponly 1
php_value session.cookie_secure 1

That should take care of the secure flag and http only flag.

I updated your logout.php page so it clears the old cookie. It wasn't working because it was redirecting and the cookie update happens in the header of the browser. I removed the redirect so the logout page displays and that allows the page to clear the cookie.

Sign in to reply to this post
Did this help? Tips are appreciated...
loading

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...