Deleting a PHP cookie upon user logout

Question

I started creating a login system which utilised cookies for a "remember me" feature. All is working fine however I am having trouble deleting the cookie upon user logout.

If a user does not check the "remember me" box and logs in successfully Ie does not create the cookie, the logout function works as expected and loads the login box.

If they don't do the latter and the user clicks the logout button the cookie remains and it shows they are still logged in.

If someone could shine some light as to why the cookie wont delete I would be very grateful.

Below is the code I am using:

PHP code that runs after a user tries to log in:

// If the form has been submitted
if(isset($_POST['login'])):

    // Protect from unwanted code/string context
    $username = strip_tags(addslashes(trim($_POST['username'])));
    $string = strip_tags(addslashes(trim($_POST['password'])));
    $remember = strip_tags(addslashes(trim($_POST['remember'])));

    // Pass the returned variables from functions to a local versions
    $password = salting($string);   // Salt Password Preperation
    $link = db_connect();           // DB connection

    // Connect to the database and try to find a login match
    $result = mysqli_query($link,"SELECT * FROM web_users WHERE username='".$username."' AND password='".$password."'");
    $row    = mysqli_fetch_object($result);

    // Create erronous results if submitted data is invalid
    if (mysqli_num_rows($result) !== 1):
        $errmsg[0] = "Invalid Username or Password, please re-try";
    endif;

    $e_login = serialize($errmsg);

    // If validation passes then continue
    if (!$errmsg):
        // Increment the login_count field by 1
        $row->login_count++;
        $count = $row->login_count;

        // Retrieve the date for admin purposes
        $date = date('Y-m-d-h:i:s'); // Y=year (4 digits) m=month (leading zero) h=hour i=minutes s=seconds

        // Salt Password Preperation
        $string = session_id();
        $login_id = salting($string);

        // Connect to the database and update the related row
        $update = mysqli_query($link,"UPDATE web_users
                                      SET login_count='".$count."',
                                          login_last='".$date."',
                                          login_id='".$login_id."',
                                          logged='1'
                                      WHERE id='".$row->id."'")

                                      or die(mysqli_error($link));

        // Create a multi-dimensional session array
        $_SESSION['login'] = array('user'       => $row->display_name,
                                   'id'         => $row->id,
                                   'user_level' => $row->user_level);

        if($remember == 1):
            setcookie("login_user",session_id(),time() + (86400*7)); // 604800 = 1 week
        endif;

        // Free the memory and close the connection
        mysqli_free_result($result);
        mysqli_close($link);

        // Take the user to the successive page if no errors
        header("location: /");
    endif;
endif;

HTML code to create the logout element:

<a href="/logout" title="Logout">
    <img src="<? echo ASSETS . IMAGES . ICONS . GENERAL; ?>logout.png" alt="User Logout">
</a>

PHP code that runs when a user logs out:

function logout() {
    // Load the db connect function to pass the link var
    $link = db_connect();

    if(is_array($_SESSION['login'])):
        // Update the logged field to show user as logged out
        $update = mysqli_query($link,"UPDATE web_users SET logged='0' WHERE id='".$_SESSION['login']['id']."'") or die(mysqli_error($link));

        // Free the memory and close the connection
        mysqli_free_result($update);
        mysqli_close($link);

        // Unset all of the session variables.
        $_SESSION = array();

        // If it's desired to kill the session, also delete the session cookie.
        // Note: This will destroy the session, and not just the session data!
        if(isset($_COOKIE[session_name()])):
            setcookie(session_name(), '', time()-7000000, '/');
        endif;

        // Finally, destroy the session.
        session_destroy();

        // Take the user to the successive page if no errors
        header("location: /");
    endif;
}

Answer 1

The user, when logged in with the remember me checkbox to your site, will have two cookies. The session cookie, by default PHPSESSID , and the remember me cookie, login_user . In order to remove the session, you just remove the sesion cookie with this code:

    if(isset($_COOKIE[session_name()])):
        setcookie(session_name(), '', time()-7000000, '/');
    endif;

The issue is that, aside from that, you need to unset the remember me cookie, with the following code.

    if(isset($_COOKIE['login_user'])):
        setcookie('login_user', '', time()-7000000, '/');
    endif;

Answer 2

To delete a cookie, you should set the expiration date in the past:

setcookie('login_user', '',time() - 3600);

You have this rule, but explicitly add the path parameter, although you have NOT used the path when setting the cookie, this might be the problem.

Answer 3

I would hazard a guess that your code

 if(isset($_COOKIE[session_name()])):
      setcookie(session_name(),'',time()-7000000,'/');
 endif;

is your problem. Most likely the isset is returning false. I would remove it from the if statement if possible.

Also in addition as mentioned below in the comments. Did you use session_start() ? There is no reference to it in your code above. This would cause session_name() to return empty.