Question
I have a webpage that switches to HTTPS upon login and back to HTTP upon logout. To enhance security, the session cookie is set to secure (HTTPS) upon login. My logout page is pretty standard, having the following code:
https://stackoverflow.com/questions/18565930
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russiansession_start();
$_SESSION = array();
$params = session_get_cookie_params();
setcookie(session_name(), "", time() - 42000, $params['path'], $params['domain'], $params['secure'], $params['httponly']);
session_destroy();
require("/var/www/include/logout_success.php");
I didn't think much about the implications until recently when I started to look at the response headers. It now appears to me that calling session_start() when the page switches back to HTTP creates a new session cookie that overrides the secure cookie.
This means that setcookie and session_destroy might be acting upon the new session instead of the old one. I am more concern that the old session data residing in my server may not be properly destroyed.
In this case, how does one goes about coding the HTTP logout page to ensure that the old session data is really destroyed?
Solution
Instead of doing a require to include the "logout success" content, do a Header("Location: http://domain/path-to-logout-success.php").
Once the HTTPS negotiation has occurred, you can't set a cookie for the "other" protocol. Only once the user's browser requests the "other" protocol can you set a cookie for it.
