why is php generating the same session ids everytime in test environment (WAMP)?

Question

i've configured wamp in my system, and am doing the development cum testing in this local environment. i was working on the logout functionality, and happened to notice that the session ids being generated are same within the browser.

Eg - chrome always generates session id = abc, for all users even after logging out and logging in; IE always generates session id = xyz, for all users.

Is this an issue with wamp/ my test environment?

please find below my logout php script -

<?php
session_start();
$sessionid = session_id();
echo $sessionid;
session_unset(); 
session_destroy(); 
?>

Answer 1

You probably still have the cookie with the old session ID in it as neither session_unset nor session_destroy deletes that cookie:

In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.

So use setcookie to invalidate the session ID cookie after logout:

if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}

Another recommendation is to regenerate the session ID after successful authentication using session_regenerate_id(true) .

Answer 2

Will work. Please try this

session_start(); 
session_regenerate_id(TRUE); 
session_destroy(); 

Answer 3

You must regenerate the session id using function session_regenerate_id() . Without that, the session ID would be the same between page refreshes.

Answer 4

session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.

In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.

Taken from http://php.net/manual/en/function.session-destroy.php

Answer 5

session_unset() and session_destroy() do not delete the session cookie. You have to manually unset it with a setcookie() call.

session_unset is the converse of session_register() , and session_destroy simply cleans out $_SESSION without affecting the cookie.

Answer 6

from the manual (session_destroy):

session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.

In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.

Unless you specifically unset the cookie, then the cookie will still exist and the next time session_start() is called, it will use that as the session id. Closing the browser also should clear the cookie because they are generally set by php to expire on browser close.

Answer 7

To stop session hijacking follow the below code in PHP

    session_start();

    /* to stop session hijacking */

    // Generate new session without destroying the old one
    session_regenerate_id(false);

    // Fetch current session ID and close both sessions to allow other scripts to use them
    $newSession = session_id();
    session_write_close();

    // Assign session ID to the new one, and start it back up again
    session_id($newSession);

    session_start();