I have a logout script for my web app which is the following:
<?php
session_start();
require_once("config.php");
$logout_connect = mysql_connect($db_host, $db_user, $db_pass);
if (!$logout_connect){
die('Impossibile connettersi: ' . mysql_error());
}else{
mysql_select_db($db_name, $logout_connect);
mysql_query("DELETE FROM valutazioni_recenti WHERE idutente = '".$_SESSION['userid']."' ");
if(mysql_query("DELETE FROM sessions WHERE ssnid = '".$_SESSION['ssnid']."' AND userid = '".$_SESSION['userid']."'")){
$_SESSION = array();
$session_id = session_id();
session_destroy();
mysql_close($logout_connect);
header("location: login.php?logout");
exit();
}
}
?>
It makes me logout the user correctly, but, as I save session data in a DB on login and delete them on logout, I can see that if I login with a session id like "096c02aefbb34jd175bfa89d4ec1235" when I logout and login again it gives me the same sessionid to that specific user. Is it normal? Is there a way to change it? Do I just have to mix it (or m5d it) with the login time??
you are missing something in your logout code that is your cookie values stored in user's browser . PHP function session_destroy(); doesn't delete user cookies, you have to unset them manually by setting expiry time to back date or time.
setcookie ("TestCookie", "", time() - 3600); //will set expiry time one hour back
so if you don't unset user's browser's cookie it will take same session id every time when you make new login.