Trying to destroy ASP cookie with PHP

Question

A logon credentials cookie is being created by an ASP script on our server. In a different directory, we have PHP scripts that need to access just the username from this cookie, which is does successfully. The problem is, when you click the logout button, which takes the user to logout.php, the cookie isn't being destroyed. My page comes up telling the user that they're logged out of course, but I have a test link on the page to take you back into the main index.php, which you shouldn't see content on unless you're logged in, but you still do. Using Firecookie I can see that the cookie isn't destroyed when logout.php is finished loading. I've tried the usual methods with no luck so far.

<?php 
session_start();
session_unset();
session_destroy();
unset($_COOKIE["creds"]);
setcookie("creds", "", time()-3600);
?>

Any ideas?

Answer 1

When you call setcookie() to delete a previously set cookie you need to pass the same values for path and domain that were used when the cookie was set. If it was set using ASP then what initial parameters were used?

setcookie($name, $value, $expire, $path, $domain)

Note that $path will default to the current directory if omitted, and like you say, your PHP scripts are in a different directory to your ASP script, so that is going to prevent the cookie from being deleted. May be it was set for the whole domain? ie. "/"

unset($_COOKIE["creds"]); just removes this cookie from the $_COOKIE superglobal for the current request, it won't actually remove the cookie. But this is a good idea, if you are checking the value of $_COOKIE['creds'] later in your script.

Answer 2

Excellent, that's what it was. Thank you sir.

For anyone else that was wondering, I replaced the original provided code with this...

setcookie("creds", $_COOKIE["creds"], time()-3600, "/");

... as suggested.

Thanks again.