<?php
session_start();
session_unset('YourVisitID');
session_destroy();
header("location:index.php");
?>

I've use the code above to destroy my session after login, but instead of destroying it, It creates another session called 'PHPSESID'. I'm using XAMPP localhost. Please advise.*

* page redirection works fine

I'm using Mozilla Firefox. After I logged it, I checked the cookies, there will only 'YourVisitID' under localhost. Then when I press log out button, It will redirect me back to the i.dex.php. Then I tried to copy & paste the direct link to the admin's page., it still works. then I went to check the cookies again, and what I saw under localhost was the intial session 'YourVisitID' was still there and not destroyed and there will be another cookie named 'PHPSESID'.

Advise please.

Are you validating existence of session in admin's page ? Try ths simple example.

<?php //page1.php
session_start();
$_SESSION['name']="test";
echo "<a href='page2.php'>Click here</a>";
?>

This is page2.php

<?php
session_start();
if(!empty($_SESSION['name'])){
 echo $_SESSION['name'];
} else {
 echo "Invalid session";
}
?>

Well, if you try to access page2.php directly, you will get Invalid session. Are you doing a check like this one in admin's page ?

Here is what I do

secure.php

<?php
     session_start();
     if (empty($_SESSION['username'])) {
     header("location:index.php");
     exit; }
 ?>

logout.php

<?php
     session_start();
      if($_SESSION["status"]="logged") {
      session_unset(); 
      session_destroy();
       header( "Location:../index.php" ); 
      exit();
     } else { 
       if ($_SESSION["status"]="not logged") {
//the session variable isn't registered, the user shouldn't even be on this page 
       header( "Location:../index.php" ); 
      exit();
    }
  }
?>

I'm using Mozilla Firefox. After I logged it, I checked the cookies, there will only 'YourVisitID' under localhost. Then when I press log out button, It will redirect me back to the i.dex.php. Then I tried to copy & paste the direct link to the admin's page., it still works.

Can you post your script of admin's page ? When you run the logout script, sessions should get destroyed. Check if there are still values in the session variable :S

<?php
     session_start();
      if($_SESSION["status"]="logged") {
      session_unset(); 
      session_destroy();
       header( "Location:../index.php" ); 
      exit();
     } else { 
       if ($_SESSION["status"]="not logged") {
//the session variable isn't registered, the user shouldn't even be on this page 
       header( "Location:../index.php" ); 
      exit();
    }
  }
?>

Take a look at those if statements. Those are SETTING $_SESSION, not comparing them. Comparisons use ==

login.php

<?php
// Send NOTHING to the Web browser prior to the session_start() line!

// Check if the form has been submitted.
if (isset($_POST['submitted'])) {

	require_once ('mysql_connect.php'); // Connect to the db.
		
	$errors = array(); // Initialize error array.
	
	// Check for an email address.
	if (empty($_POST['username'])) {
		$errors[] = 'You forgot to enter your Username.';
	} else {
		$u = escape_data($_POST['username']);
	}
	
	// Check for a password.
	if (empty($_POST['password'])) {
		$errors[] = 'You forgot to enter your password.';
	} else {
		$p = escape_data($_POST['password']);
	}
	
	if (empty($errors)) { // If everything's OK.

		/* Retrieve the user_id and first_name for 
		that email/password combination. */
		$query = "SELECT user_id, first_name FROM adminprofile WHERE username='$u' AND password='$p'";		
		$result = @mysql_query ($query); // Run the query.
		$row = mysql_fetch_array ($result, MYSQL_NUM); // Return a record, if applicable.

		if ($row) { // A record was pulled from the database.
				
			// Set the session data & redirect.
			session_name ('YourVisitID');
			session_start();
			$_SESSION['user_id'] = $row[0];
			$_SESSION['first_name'] = $row[1];
			$_SESSION['agent'] = md5($_SERVER['HTTP_USER_AGENT']);

			// Redirect the user to the loggedin.php page.
			// Start defining the URL.
			$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
			// Check for a trailing slash.
			if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
				$url = substr ($url, 0, -1); // Chop off the slash.
			}
			// Add the page.
			//$url .= 'loggedin.php';
			
			//header("Location: $url");
			header("Location: loggedin.php");
			exit(); // Quit the script.
				
		} else { // No record matched the query.
			$errors[] = 'The username and password entered do not match those on file.'; // Public message.
			$errors[] = mysql_error() . '<br /><br />Query: ' . $query; // Debugging message.
		}
		
	} // End of if (empty($errors)) IF.
		
	mysql_close(); // Close the database connection.

} else { // Form has not been submitted.

	$errors = NULL;

} // End of the main Submit conditional.

// Begin the page now.
$page_title = 'Login';
include ('./includes/header.html');

if (!empty($errors)) { // Print any error messages.
	echo '<h1 id="mainhead">Error!</h1>
	<p class="error">The following error(s) occurred:<br />';
	foreach ($errors as $msg) { // Print each error.
		echo " - $msg<br />\n";
	}
	echo '</p><p>Please try again.</p>';
}

// Create the form.
?>
<h2>Login</h2>
<form action="login.php" method="post">
	<p>Username: <input type="text" name="username" size="20" maxlength="15" /> </p>
	<p>Password: <input type="password" name="password" size="20" maxlength="15" /></p>
	<p><input type="submit" name="submit" value="Login" /></p>
	<input type="hidden" name="submitted" value="TRUE" />
</form>
<?php
include ('./includes/footer.html');
?>

loggedin.php(admin page)

<?php
# User is redirected here from login.php.

session_name ('YourVisitID');
session_start(); // Start the session.

// If no session value is present, redirect the user.
if (!isset($_SESSION['agent']) OR ($_SESSION['agent'] != md5($_SERVER['HTTP_USER_AGENT'])) ) {

	// Start defining the URL.
	$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
	// Check for a trailing slash.
	if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
		$url = substr ($url, 0, -1); // Chop off the slash.
	}
	//$url .= 'index.php'; // Add the page.
	//header("Location: $url");
	header("Location: index.php");
	exit(); // Quit the script.
}

// Set the page title and include the HTML header.
$page_title = 'Logged In!';
include ('./includes/header1.html');

// Print a customized message.
echo "<h1>Logged In!</h1>
<p>You are now logged in, {$_SESSION['first_name']}!</p>
<p><br /><br /></p>";

include ('./includes/footer.html');
?>

Advise pls.

Maybe this isn't working. Print some statements inside this loop and execute this script (without logging in). if (!isset($_SESSION['agent']) OR ($_SESSION['agent'] != md5($_SERVER['HTTP_USER_AGENT'])) ) {

<?php
// This is the logout page for the site.

// Include the configuration file for error management and such.
require_once ('mysql_connect.php'); 

// Set the page title and include the HTML header.
$page_title = 'Logout';
include ('./includes/header.html');
$MM_redirectLoginFailed = "index.html";
$MM_redirecttoReferrer = true;

// If no first_name variable exists, redirect the user.
if (isset($_SESSION['first_name'])) {

	// Start defining the URL.
	//$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
	// Check for a trailing slash.
	//if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
		//$url = substr ($url, 0, -1); // Chop off the slash.
	//}
	// Add the page.
	//$url .= '/index.html';
	
	ob_end_clean(); // Delete the buffer.
	//header("Location: $url");
	//header("Location: index.html");
	echo "<script type='text/javascript'>location.href='$MM_redirectLoginSuccess';</script>";
	exit(); // Quit the script.
	
} else { // Logout the user.

	$_SESSION = array(); // Destroy the variables.
	session_destroy(); // Destroy the session itself.
	//session_unset();
	setcookie (session_name(), '', time()-300, '/', '', 0); // Destroy the cookie.

}

// Print a customized message.
echo "<h3>You are now logged out.</h3>";

include ('./includes/footer.html');
?>

I've tried this code and the errors are:

Warning: session_destroy() [function.session-destroy]: Trying to destroy uninitialized session in C:\xampp\htdocs\cycle\logout.php on line 34

Warning: Cannot modify header information - headers already sent by (output started at C:\xampp\htdocs\cycle\includes\header.html:7) in C:\xampp\htdocs\cycle\logout.php on line 36

Please help.

Warning: session_destroy() [function.session-destroy]: Trying to destroy uninitialized session in C:\xampp\htdocs\cycle\logout.php on line 34

That means you are trying to destroy a session that doesn't exist.

This question has already been answered. Start a new discussion instead.