session_destroy() destroys session data but does not unset any of the global variables associated with session or unset the session cookie.
So why should we destroy session?
Can we destroy a session at the end of page each time the session starts in the beginning of that page giving the same functionality without destroying as well?
session_destroy() will delete the session file (if file storage is used). Otherwise the session file will reside on the server until the garbage collection deletes it. So, if you want to make sure that the stored session data is removed from the server you have to call session_destroy().
Do not call this on every page! Only after the user logs out and you do not need the stored information anymore.
Your correct approach should be to run session_destroy, and then reload the page to force the session changing actions (such as cookie deletion) to work and then the session data in PHP reloads and renews upon page reload.
Before running session destroy you should also "manually" clean the session as well so:
<?php
session_start();
if(count)$_SESSION > 0) {
// Or some other more specific cursory check if the session is populated
$_SESSION = array("","","","");
session_destroy();
header("Location: thispage.php");
exit;
}
...
Page continues....
Also please reference this answer as to how to remove session cookies on the client browser.
Related
Why do people do this?
session_start();
unset($_SESSION['session']);
session_destroy();
Why do people do session_start, than unset, then destroy?
In order to destroy the currently active session, you need to start the session first. That's because session_start() resumes the currently active session. You need access to that because you want to know which session you are unsetting.
You might like to take a look at this line from the manual:
session_start() creates a session or resumes the current one based on a session identifier passed via a GET or POST request, or passed via a cookie.
Reference: PHP Manual - session_unset()
These tree steps explained:
Session_start(); -> initialize session or resumes one if you already have one.
Unset($_SESSION); -> you need to be sure that the session array won't exist once you destroy your session even in memory. You can go direct to session_destroy(); and go on, but the loaded array stills there.
Session_destroy(); -> to destroy session by removing cookies from the client.
session_start() resumes the current active session. By doing this you can access your session variables.
unset($_SESSION['session']); unset() destroys the specified variables.
session_destroy(); destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.
for more details goto http://php.net/manual/en/function.session-destroy.php
Or you can search
In PHP manual, the description for session_destroy() function is :
session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.
I am confused about this description. If this function destroys all session data, then why the global variables associated with the session are not unset? Why can we use the session variables again?
I am confused about this description. If this [session_destroy()] function destroys all session data, then why the global variables associated with the session are not unset? Why can we use the session variables again?
Session data is the data associated with the session. The session is defined by its name (the session name) and its id (the session id).
By using that function, all this sessions (name + id) data is destroyed.
The variable container which allowed you to read / set that data is still there, so you can operate on that data (e.g. there might be information in like last activity and this is a logout and you want to store the last activity know at logout or so into some logs or database, so why delete it? that would be counter productive because you want to destroy (or commit) sessions fast, e.g. when you know read-only access is needed only, keep the session data in memory, but commit the session already because there is no need to keep it open).
Keep in mind that even these variables are access via $_SESSION they are not part of the session any longer. Perhaps that is the confusing part?
BTW my description is not totally correct. PHP internally identifies the session data by the id only so you could change the session name and session_destroy() would still remove the session data because the session id has not changed.
session_destroy() deletes the session file where session data are stored. Look here:
<?php
session_save_path('./session/');
session_start();
$_SESSION['v'] = array( 'foo' => 123, 'bar' => 'spam' );
$_SESSION['m'] = "rocky";
if( isset($_GET['delete']) == 'true' )
session_destroy();
?>
I have a script whitch creates a session and set the value of v to 10, and it saves the session data in the same script path in a folder named ./session.
Now open the page and then browse the ./session directory, you should see a file with name similar to sess_4r7ldo7s5hsctu3fgtvfmf4sd0. This is where session data is being stored and it will contains:
v|a:2:{s:3:"foo";i:123;s:3:"bar";s:4:"spam";}m|s:5:"rocky";
Activate session_destroy() by passing ?delete=true to the page, the session file will be simply deleted.
I am trying to delete a session cookie. These are the steps I am following
// Find the session - I believe this is doing a resume rather than starting a fresh session thus identifying the session.
session_start();
// Unset all the session variables enmasse by assigning an empty array
$_SESSION = array();
// find the session name that has been allocated then destroy the session cookie
if(isset($_COOKIE[session_name()])){
setcookie(session_name(),'', time()-42000, '/');
// set content of found session to null, with a past time, at the root
}
// Destroy the session
session_destroy();
This definitely logs me out. However the actual cookie still exists and can be viewed in the browser (firefox).
$_COOKIE[session_name()]
appears to be returning the encrypted content string as opposed to the session name.
Questions:
if $_COOKIE[session_name()] is not the correct way to get the session name what is?
Should I be setting a session_name instead of allowing it to default?
Am I seeing the session because it is waiting for some kind of garbage collection?
You may want to take a look at this page:
http://php.net/manual/en/function.session-destroy.php
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
Based on that, you might want to be using session_id() as opposed to session_name()
When I try to log out the session is destroyed but I still can go inside that page and view details without logging in first by using the Mozilla browser back button or history cache.
code for logout is
<php
session_start();
session_unset($_SESSION['user']);
//redirect to login page
header('location:login.php');
session_write_close();
?>
members page.
<php
if(!isset($_SESSION['user'])||(trim($_SESSION['user']==''))){
require('error.php');
}
else{
require('view.php');
//the function queries the db.
member_detail($user,$password);
}
In this code if I use the link to the page, it goes to the error page but if I log in, member details is displayed since the session is active so problem is after logout.
first make sure your session is destroyed using session_destroy function or unset the whole session array.
and in print the session array in test page after logout. this will give you which session variables are there. use isset method to check whether or not session variables exist.
Sometimes session_unset and session_destroy does not clear the session data.
Reference: http://www.dmxzone.com/forum/topic/14240/
I have similar experience. Perhaps it is because of not using the methods properly.
Quickfix:
if you want to unset a particular session variable:
$_SESSION["variable"]="";
That will 'unset it'
To unset the whole SESSION
$_SESSION=array();
I seriously do NOT know how valid these are as recommended programming practices, however, they work for me.
FROM the manuals
If a globalized variable is unset()
inside of a function, only the local
variable is destroyed. The variable in
the calling environment will retain
the same value as before unset() was
called.
and
session_destroy() destroys all of the
data associated with the current
session. It does not unset any of the
global variables associated with the
session, or unset the session cookie.
To use the session variables again,
session_start() has to be called.
In order to kill the session
altogether, like to log the user out,
the session id must also be unset. If
a cookie is used to propagate the
session id (default behavior), then
the session cookie must be deleted.
setcookie() may be used for that.
Perhaps other users can add more to this answer. Plus the manuals at php.net have very informative comments with sample code.
It's possible I'm not properly deleting PHP sessions when the user signs out. I've noticed that if I sign out and sign back in without closing the browser, the session ID doesn't change but if I sign out, close the browser window, open a new one and sign in, the session ID will be different. Do I need to be doing something different or is this normal behavior? I've been using the same process for three years but something happened recently that made me think that maybe I need to do something different.
Here's what I basically do when someone clicks Sign Out.
<?php
session_start();
if( isSet($_SESSION['FacID']) )
$facID = $_SESSION['FacID']; //Want to re-instate this after we destroy the session.
unset($_SESSION);
session_destroy();
if( isSet($_SESSION['FacID']) )
$_SESSION['FacID'] = $facID;
?>
If you feel the need to force a new id
http://pl.php.net/manual/en/function.session-regenerate-id.php
And to your question, from the manual:
session_destroy() destroys all of the
data associated with the current
session. It does not unset any of the
global variables associated with the
session, or unset the session cookie.
To use the session variables again,
session_start() has to be called.
In order to kill the session
altogether, like to log the user out,
the session id must also be unset. If
a cookie is used to propagate the
session id (default behavior), then
the session cookie must be deleted.
setcookie() may be used for that.
Your session is getting destroyed.
PHP will only generate a session id if the browser isn't specifying one. As long as the session has been destoryed, there is no problems with this.
What's with the massive save-and-destroy? Just session_start and set your variables. No need to destroy, then reset them!
Your "problem" with the browser is that when you close your browser window, your browser is deleting the cookie which PHP sends it so it knows the session ID. This is a browser option and cannot be changed on the server side (unless you exploit). It can be circumvented using some methods, but that's probably not your best option.