CoSign: Collaborative Single Sign-On  

cosign-discuss at
general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cookie Deletion in PHP5 on IIS6

There are two things going on. The first is that PHP will reject setcookie calls that do not specify the same scope as the cookie being overwritten; in this case, path, expiration, name, value, and secure flag are all set. The second issue is that changes to the user's cookies will not be visible to php until the next reload. The following PHP should work for mod_cosign:

    $service = $_SERVER[ 'COSIGN_SERVICE' ];
    setcookie( $service, "null", time()-1, '/', "", 1 );

echo( "<br /> cosign-cookie: " . $service . " = " . $_COOKIE [ $service ]);

and IIS should be able to use:

    $service = $_SERVER[ 'HTTP_COSIGN_SERVICE' ];
    setcookie( $service, "null", time()-1, '/', "", 1 );

echo( "<br /> cosign-cookie: " . $service . " = " . $_COOKIE [ $service ]);

Of course, all this script will do is change the service cookie payload echoed after each page reload. You also need to print a redirect to the central weblogin server. Here at Michigan that might be:

$central_logout = "";;
setcookie( $_SERVER[ 'COSIGN_SERVICE' ], "null", time()-1, '/', "", 1 );

echo( "<br /> cosign-cookie: " . $service . " = " . $_COOKIE [ $service ]);
/* it's important that there be no output on this page, at least
before this line */
header( "Location: $central_logout" );

I have not tested this on IIS myself, but would be happy to help debug if anything comes up. I hope this is helpful,


On Jul 27, 2005, at 3:49 PM, Christopher Lafty wrote:

Anybody had luck destroying the cosign service cookie with PHP5? I've been trying all day long and I can't seem to remove it with a logout page.

Using phpinfo(), I see the cookie as _COOKIE["cosign- xxx_xxx_xxx_xxx"], but with the web developer toolbar in firefox, the cookie shows up as I am trying to delete both, but still can't.

//get service name, contains "."

//delete the cookie with "."
setcookie ($service, FALSE, time()-1000);

//put in "_" instead of "."
$service1 = str_replace(".", "_", $service);
setcookie ($service1, FALSE, time()-1000);

//output to see if successful
echo "</br>cosign-cookie:" . $_COOKIE[$service];
echo "</br>cosign-cookie:" . $_COOKIE[$service1];

browser output:

cosign-cookie: XXXXXXXXXXXXXXXXXXXXXXXXXXX  ("_" contains the cookie?)

web developer cookie information:
ExpiresAt End Of Session

Am I missing something?

Thanks in advance,
-- ..................................... :: Christopher Lafty :: Computer Support/Web Site Administrator :: Department of Biology :: Pennsylvania State University :: 109 Mueller Lab :: University Park, PA 16802 :: Phone: 814-865-6590 :: chrislafty@xxxxxxx ..................................... !DSPAM: 42e7e57d310441124611809!

Copyright © 2002 - 2004 Regents of the University of Michigan :  Page last updated 15-December-2010