I'm building a site (e-commerce) which stores session_id in DB (Generated by $session = session_id(); ). I need to destroy it once checkout completes. I've added
session_unset();
session_destroy();
at the end, but a simple print shows that session_id() is not being destroyed and is the same even after checkout. How can I completely destroy that. As you probably know, Firefox destroys all session on close while Chrome does not. I'm trying to destroy the session_id() generated. Any ideas ?
So after thinking and surfing the internet, Many people said that it is a bad idea (not sure why) to store id generated from session_id()
So, instead I used uniqid()
I do something like this to generate the id on the first page and then start the session on every page and get its value via $_SESSION
session_start();
if (!isset($_SESSION['session_id']))
{
$session = uniqid();
$_SESSION['session_id'] = $session;
}
else
{
$session = $_SESSION['session_id'];
}
Turns out, this solved my problem. I can easily session_unset(); / session_destroy(); the session at the final checkout step (where cart is dumped)
Related
I can't understand the code below and I don't know when we use session_id() before session_start() .
<?php
if($_GET){
//defining the session_id() before session_start() is the secret
session_id($_GET['session_id']);
session_start();
echo "Data: " . $_SESSION['theVar'];
//use your data before below commands
session_destroy();
session_commit();
}else{
//common session statement goes here
session_start();
$session_id=session_id();
$_SESSION['theVar'] = "theData";
echo "your.php?session_id=" . $session_id;
}
?>
i want you to explain it ! not just copying the description of php.net !
on the other hand , where is session_id() used ?! what's its usage ?!
thank you in advance !
finally i understood ! i give you two examples :
<?php
session_start();
session_id();
?>
result |stbug36ge9efg20cpdjnq83m50 ( session id )
and whenever the browser or tab is closed , the session will be omitted and the next time you enter the site , you can manage two action to occur :
1. start a new session with previous session_id
2. or start a new session witt a new id
as the usual , the action num.2 will happen but if you want num.1 to happen you have to embed session_id before session_start . look at the code below :
<?php
session_id("stbug36ge9efg20cpdjnq83m50");
session_start();
?>
and here we're starting a new session with previous session id .
and
the usage of Session_id()
you can easily write a online visitors counter -- each time a session starts(use is online ) , its id will store in database . so we can find out how many users are online.
Setting the session id before starting the session lets you manually "resume" a session, so to speak. If you session_start() without setting the ID, and the previous session has expired, it will generate a new ID and start a brand new session.
From the PHP documentation:
If id is specified, it will replace the current session id. session_id() needs to be called before session_start() for that purpose.
See more at: http://php.net/manual/en/function.session-id.php
The manual is a good place to start. session_id isn't required to start or manage sessions. PHP and the browser (through a cookie) will usually handle this automatically if you exclude session_id. You can however maintain multiple sessions per end user by specifying a session ID.
I only store logged users id in SESSION.
When a user logs out, SESSION becomes useless for me. Do I have to destroy it?
These are the methods of Utils class which I am using to start and destroy SESSION.
static function sessionSecureStart()
{
if (session_status() == PHP_SESSION_NONE) {
session_start();
}
}
static function sessionSecureDestroy()
{
//Utils::sessionSecureStart(); This part is for testing only
if (session_status() == PHP_SESSION_ACTIVE) {
$_SESSION = [];
session_destroy();
}
}
Sometimes randomly I get errors/warnings like SESSION could not be destroyed.... Am I doing something wrong?
(I am using PHP/5.5.25)
You don't have to destroy the whole session, just unset the parts you don't need. Let's say that when a user logs in that you set $_SESSION['user_id'] and everything that says I am logged in is looking for that variable. A simple unset($_SESSION['user_id']); and suddenly the user is logged out. Remember, your user doesn't have control over what's in the session.
Another option is to set the session cookies to very low lifetimes. It's cruder but just as effective.
I highly advice you to destroy the session. For both security and performance.
Normally session data is saved in temporary files on the server and in a cookie on the browser, this one only contains the session id but no data.
When you call session destroy you delete this file but you also might tel the browser to delete the session cookie (sending a cookie with the same name which expires in the past). You can know the name calling the session_name() function (normally it's PHPSESSID).
When a user logs out, SESSION becomes useless for me. Do I have to destroy it?
Yes. Besides destroying it, it's also helpful to generate a new session-id
Sometimes randomly I get errors/warnings like SESSION could not be destroyed.... Am I doing something wrong?
You cannot destroy a session that haven't been started. Make sure you have successfully initiated your sessions with session_start(); before trying to destroy it
I am using PHP sessions for a tool I have created. It allows for you to resume a previous session you may have started that is stored in the database. All that functionality is working as intended.
However, I provide a link that says "Create New Session" and point it to a PHP page that contains this code:
<?php
session_start();
session_destroy();
$_SESSION = array();
unset($_SESSION);
header('Location: wizard.php');
?>
Now, when it redirects back to wizard.php, I have it printing out all session details and it still contains information from the previous session.
Is there something I am missing here?
Wizard.php starts with session_create(); so I would assume as soon as it redirected it would create a new session ID and all which isnt happening.
Thanks for any info
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (isset($_COOKIE[session_name()])) {
setcookie(session_name(), '', time()-42000, '/');
}
// Finally, destroy the session.
session_destroy();
header('Location: wizard.php');
?>
Taken from: session_destroy Example 1
In my working platform i endedup with a session_destroy problem
function logout()
{
$_SESSION['id'] = '';
session_destroy();
}
Here i unset the session id variable with a null value and uses the session_destroy() function to destroy the session.
But the problem is that after logged out from my account, when i press the back button of the browser it shows the status as logged in. Even i can browse through the profile and links of my account.
Thank you
you must unset session as well as destroy session to remove it completely from your system.
you can do it with php functions..
session_unset(); or you can use unset($_SESSION);
session_destroy();
it think you should try using session_unset()
In order to kill the session altogether, like to log the user out, the session id must also be unset.
If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that
<?php
session_start();
$sessionName = session_name();
$sessionCookie = session_get_cookie_params();
session_unset();
session_destroy();
setcookie($sessionName, false, $sessionCookie['lifetime'], $sessionCookie['path'], $sessionCookie['domain'], $sessionCookie['secure']);
?>
Try this:
unset($_SESSION);
session_destroy();
session_regenerate_id();
Instead of rolling your own session code and possibly missing something, try using Zend_Session:
http://framework.zend.com/manual/en/zend.session.html
The constructor of Zend_Session_Namespace will automatically call session_start(), and likewise the Zend_Session::destroy() method will clean everything up in a logout script. Most of the work has already been done for you.
I have a problem with the session_id(). When I call the session_destroy(), by going specifically to the logout page and then I go back to my start page the session_id is still the same. What to do?
But when I close the browser window the session_id is a new one, but what if a person not closes his/her browser window?
session_destroy() destroys the session data on the server, not the session id in the cookie. Either use setcookie() to unset the cookie or use session_regenerate_id() to get a new ID.
The order of regeneration and destroying variables is important:
function _session_destroy() {
session_regenerate_id();
session_destroy();
}
use these function as in order shown below
session_start();
session_unset();
/* Kill all session variables */
unset($_SESSION['variable1']);
unset($_SESSION['variable2']);
.
.
.
.
.
unset($_SESSION['variableN']);
$_SESSION = array(); // reset session array
/* now generate session id */
session_regenerate_id();
session_destroy(); // destroy session.