I am newbie in php. I can not under stand a thing that session variable is outputting even after session_destroy() and session_unset().Here is my simple code for test
`session_start();
SESSION['name']='sovon';
session_destroy();
session_unset($_SESSION['name']);
echo $_SESSION['name'];
`
The output is 'sovon'. My question what is session_destroy() and session_unset() doing here and whats the difference between them?
Oh! when I am deleting session_destroy() that variable is getting unset. why?
I got it faisal, session_distroy is destroying session if its created in other pages. If the session variable created on the same page then it will be remain. The best practice is to null the session variable after session distroY $_SESSION = NULL;
Like I am using in logout,
session_start();
session_distory();
$_SESSION = NULL;
header('Location: Login.php');
I think this help you.
Perhaps its easier if you read the php manual.
session_destroy()
session_destroy() destroys all of the data associated with the current
session. It does not unset any of the global variables associated with
the session, or unset the session cookie. To use the session variables
again, session_start() has to be called.
So if you want to unset the data inside. You have to unset it.
unset($_SESSION);
Session unset...
session_unset()
deletes all variables and leave session_id. But session_unset has no parameters.
What you search is
unset($_SESSION['name']);
The following works perfectly in all browsers to kill and destroy and unset all session info. Perfect to put it in sign-out file.
<?php
session_start();
session_unset();
session_destroy();
session_write_close();
setcookie(session_name(),'',0,'/');
session_regenerate_id(true);
?>
Related
According to w3schools (https://www.w3schools.com/php/php_sessions.asp) to remove a session (log out) you should do it this way:
session_unset();
session_destroy();
But I don't understand why you'd have to unset all session variables first, wouldn't just session_destroy be enough?
You can find the following information on the official documentation (https://php.net) about session_destroy:
It does not unset any of the global variables associated with the session, or unset the session cookie.
source: http://php.net/manual/en/function.session-destroy.php
And the documentation of session_unset says the following:
The session_unset() function frees all session variables currently registered.
source: http://php.net/manual/en/function.session-unset.php
So with these informations you have to call the following to clear a session completely:
session_unset();
session_destroy();
You don't want to clear the whole session?
In case your are using a system to login and logout a user, you can also remove specific fields of the session using unset:
unset($_SESSION['username']);
unset($_SESSION['other_user_data']);
In this case you only remove data of the user and not data for other parts of your application not related to the user.
I've learnt that
session_unset() removes all session variables which means it just clears the $_SESSION variable and it’s equivalent to doing:
$_SESSION = array();
This does only affect the local $_SESSION variable instance/s.
session_destroy() destroys the session data that is stored in the session storage.
My question are as below :
Does session mean the $_SESSION super global variable?
When session_destroy() will be called will the super global variable $_SESSION also get destroyed and becomes unaccessible?
If the super global variable $_SESSION doesn't become unaccessible even after calling session_destroy() then what it actually destroys when the session variable instances have already been destroyed by session_unset() ?
Thanks.
session_unset() does not destroy the session, session_unset should be used on a single session variable.
session_unset($_SESSION['user_id']);
Does session mean the $_SESSION super global variable?
According to php docs do not use session_unset on the global variable [http://php.net/manual/en/function.session-unset.php][1]
Do NOT unset the whole $_SESSION with unset($_SESSION) as this will
disable the registering of session variables through the $_SESSION
superglobal.
When session_destroy() will be called will the super global variable $_SESSION also get destroyed and becomes unaccessible?
No it does not become unaccessible. After destroying a session with session_destroy() you can use session_start() to create a new session.
If the super global variable $_SESSION doesn't become unaccessible even after calling session_destroy() then what it actually destroys when the session variable instances have already been destroyed by session_unset() ?
calling session_unset should be used to remove individual session variables, not to destroy your session. After using session_unset the session is still active, you can see from my test below:
<?php
// This prints "Active"
session_start();
$_SESSION['user_id'] = 1000;
session_unset($_SESSION['user_id']);
if(session_status()==2)
echo "Active \n";
To destroy a session in php, I don't recommend trying to use session_unset. I do:
// hijack then destroy
$session_id = session_id();
session_id($session_id);
session_start();
session_destroy();
session_commit();
When starting a session, a session ID will be generated and saved as a cookie.
session_destroy() will remove the array of $_SESSION and thus do the same as session_unset(), but in addition it also destroys the session ID. The cookie will be cleared.
From this point, you can only access the $_SESSION variable again after starting the session with session_start().
Here is a code I destroy the session but it still working.
<?php
session_start();
$_SESSION['name'] = 'Arfan';
$_SESSION['second_name'] = 'Haider';
echo 'My full name is '.$_SESSION['name'].$_SESSION['second_name'].'<br/>';
unset($_SESSION['second_name']);// unset the second_name session
echo 'My name is '.$_SESSION['name'].$_SESSION['second_name'].'<br/>';// work fine error popup
session_destroy();// Destroy all the session
echo $_SESSION['name']; // session is working here.
?>
As you can see at the end of the code session is also working why?
From docs:
In order to kill the session altogether, like to log the user out, the
session id must also be unset. If a cookie is used to propagate the
session id (default behavior), then the session cookie must be
deleted. setcookie() may be used for that.
Example:
session_start();
session_unset();
session_destroy();
session_write_close();
setcookie(session_name(),'',0,'/');
session_regenerate_id(true);
After using session_destroy(), the session cookie is removed and the session is no longer stored on the server. The values in $_SESSION may still be available, but they will not be on the next page load.
If you want to clear a session completely, you can use:
session_start();
session_destroy();
$_SESSION = array();
When I log a user out of an app I am building I use session_destroy();
But when I go back to the page, all session variables are still set.
How can I completely destroy all session variables and ultimately require a user to log back in again?
Here is my code:
session_unset(); // clears all session variables
$_SESSION = array();
session_destroy(); // deletes session id
Thanks
After using session_destroy(), the session cookie is removed and the session is no longer stored on the server. The values in $_SESSION may still be available, but they will not be on the next page load.
If you need to clear the values of $_SESSION, set the array equal to an empty array:
Of course, you can't access the values of $_SESSION on another page once you call session_destroy, so it doesn't matter that much.Still if you are concerned .
Try the following:
session_destroy();
$_SESSION = array(); // Clears the $_SESSION variable
you are not calling session_destroy() for sure, your code may be unable to access it.
Post more code so we could help you
In my working platform i endedup with a session_destroy problem
function logout()
{
$_SESSION['id'] = '';
session_destroy();
}
Here i unset the session id variable with a null value and uses the session_destroy() function to destroy the session.
But the problem is that after logged out from my account, when i press the back button of the browser it shows the status as logged in. Even i can browse through the profile and links of my account.
Thank you
you must unset session as well as destroy session to remove it completely from your system.
you can do it with php functions..
session_unset(); or you can use unset($_SESSION);
session_destroy();
it think you should try using session_unset()
In order to kill the session altogether, like to log the user out, the session id must also be unset.
If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that
<?php
session_start();
$sessionName = session_name();
$sessionCookie = session_get_cookie_params();
session_unset();
session_destroy();
setcookie($sessionName, false, $sessionCookie['lifetime'], $sessionCookie['path'], $sessionCookie['domain'], $sessionCookie['secure']);
?>
Try this:
unset($_SESSION);
session_destroy();
session_regenerate_id();
Instead of rolling your own session code and possibly missing something, try using Zend_Session:
http://framework.zend.com/manual/en/zend.session.html
The constructor of Zend_Session_Namespace will automatically call session_start(), and likewise the Zend_Session::destroy() method will clean everything up in a logout script. Most of the work has already been done for you.