According to w3schools (https://www.w3schools.com/php/php_sessions.asp) to remove a session (log out) you should do it this way:
session_unset();
session_destroy();
But I don't understand why you'd have to unset all session variables first, wouldn't just session_destroy be enough?
You can find the following information on the official documentation (https://php.net) about session_destroy:
It does not unset any of the global variables associated with the session, or unset the session cookie.
source: http://php.net/manual/en/function.session-destroy.php
And the documentation of session_unset says the following:
The session_unset() function frees all session variables currently registered.
source: http://php.net/manual/en/function.session-unset.php
So with these informations you have to call the following to clear a session completely:
session_unset();
session_destroy();
You don't want to clear the whole session?
In case your are using a system to login and logout a user, you can also remove specific fields of the session using unset:
unset($_SESSION['username']);
unset($_SESSION['other_user_data']);
In this case you only remove data of the user and not data for other parts of your application not related to the user.
Related
I have used session_destroy in MVC pattern.
If I click logout link, it will redirect correct url but page disappears. It is displaying the below error in Firefox.
The page isn't redirecting properly
Firefox has detected that the server is redirecting the request for this address in
a way that will never complete.
This problem can sometimes be caused by disabling or refusing to accept cookies."
This is the function I'm using for logout.
Logout function:(Not working)
public function Logout(){
session_destroy();
$this->redirect('index.php?r=admin/login');
}
I have unset($_SESSION['userName']) the session variable. It is working fine. But session_destroy is not working in that place.
What is the reason for that?
Logout function:(working)
public function Logout(){
unset($_SESSION['userName']);
$this->redirect('index.php?r=admin/login');
}
you can use another way to remove session like:-
$_SESSION = array(); // define it with empty array and clear the session values
or use start the session again and then destroy
session_start();
session_destroy();
For more :- why session_destroy() not working
and for better understanding you can read #Chen Asraf answer
From the PHP documentation of session_destroy:
session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
So in order to truly get rid of the session, you also have to unset or override the $_SESSION superglobal, like you did before.
I am newbie in php. I can not under stand a thing that session variable is outputting even after session_destroy() and session_unset().Here is my simple code for test
`session_start();
SESSION['name']='sovon';
session_destroy();
session_unset($_SESSION['name']);
echo $_SESSION['name'];
`
The output is 'sovon'. My question what is session_destroy() and session_unset() doing here and whats the difference between them?
Oh! when I am deleting session_destroy() that variable is getting unset. why?
I got it faisal, session_distroy is destroying session if its created in other pages. If the session variable created on the same page then it will be remain. The best practice is to null the session variable after session distroY $_SESSION = NULL;
Like I am using in logout,
session_start();
session_distory();
$_SESSION = NULL;
header('Location: Login.php');
I think this help you.
Perhaps its easier if you read the php manual.
session_destroy()
session_destroy() destroys all of the data associated with the current
session. It does not unset any of the global variables associated with
the session, or unset the session cookie. To use the session variables
again, session_start() has to be called.
So if you want to unset the data inside. You have to unset it.
unset($_SESSION);
Session unset...
session_unset()
deletes all variables and leave session_id. But session_unset has no parameters.
What you search is
unset($_SESSION['name']);
The following works perfectly in all browsers to kill and destroy and unset all session info. Perfect to put it in sign-out file.
<?php
session_start();
session_unset();
session_destroy();
session_write_close();
setcookie(session_name(),'',0,'/');
session_regenerate_id(true);
?>
When I log a user out of an app I am building I use session_destroy();
But when I go back to the page, all session variables are still set.
How can I completely destroy all session variables and ultimately require a user to log back in again?
Here is my code:
session_unset(); // clears all session variables
$_SESSION = array();
session_destroy(); // deletes session id
Thanks
After using session_destroy(), the session cookie is removed and the session is no longer stored on the server. The values in $_SESSION may still be available, but they will not be on the next page load.
If you need to clear the values of $_SESSION, set the array equal to an empty array:
Of course, you can't access the values of $_SESSION on another page once you call session_destroy, so it doesn't matter that much.Still if you are concerned .
Try the following:
session_destroy();
$_SESSION = array(); // Clears the $_SESSION variable
you are not calling session_destroy() for sure, your code may be unable to access it.
Post more code so we could help you
In my working platform i endedup with a session_destroy problem
function logout()
{
$_SESSION['id'] = '';
session_destroy();
}
Here i unset the session id variable with a null value and uses the session_destroy() function to destroy the session.
But the problem is that after logged out from my account, when i press the back button of the browser it shows the status as logged in. Even i can browse through the profile and links of my account.
Thank you
you must unset session as well as destroy session to remove it completely from your system.
you can do it with php functions..
session_unset(); or you can use unset($_SESSION);
session_destroy();
it think you should try using session_unset()
In order to kill the session altogether, like to log the user out, the session id must also be unset.
If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that
<?php
session_start();
$sessionName = session_name();
$sessionCookie = session_get_cookie_params();
session_unset();
session_destroy();
setcookie($sessionName, false, $sessionCookie['lifetime'], $sessionCookie['path'], $sessionCookie['domain'], $sessionCookie['secure']);
?>
Try this:
unset($_SESSION);
session_destroy();
session_regenerate_id();
Instead of rolling your own session code and possibly missing something, try using Zend_Session:
http://framework.zend.com/manual/en/zend.session.html
The constructor of Zend_Session_Namespace will automatically call session_start(), and likewise the Zend_Session::destroy() method will clean everything up in a logout script. Most of the work has already been done for you.
In my application, when the user logs out, I want to destroy all the current user's sessions. Do I unset each session used in the application and then call session_destroy() or just call session_destroy()?
Thank you!
session_destroy() does not destroy all user's sessions. You would need to write to a persistent storage media (database, text file, etc.) and then call session_destroy() to kill it's own session. Then, have all pages check it when they load. If it has some special command in it (for example, normal is 0, destroy command is 1), have them call session_destroy().
session_unset(): Remove all session vars. In the 1rst F5 no longer display the session variables.
session_destroy(): Delete the current session. In the 2dn F5 no longer display the session variables.
Therefore your logout.php script could be:
<?php
session_start();
...
// remove all session variables
session_unset();
// destroy the session
session_destroy();
// Redirect to home
header("Location: home.php");
exit();
The session_destroy() function should unset all sessions that you have set. So yes, you should only have to call that. You can test it by calling session_destroy() then trying to echo a session value, if it echoes then it's not worked, if an error of some description appears, then the session has successfully been destroyed.