I am using PHP sessions for a tool I have created. It allows for you to resume a previous session you may have started that is stored in the database. All that functionality is working as intended.
However, I provide a link that says "Create New Session" and point it to a PHP page that contains this code:
<?php
session_start();
session_destroy();
$_SESSION = array();
unset($_SESSION);
header('Location: wizard.php');
?>
Now, when it redirects back to wizard.php, I have it printing out all session details and it still contains information from the previous session.
Is there something I am missing here?
Wizard.php starts with session_create(); so I would assume as soon as it redirected it would create a new session ID and all which isnt happening.
Thanks for any info
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (isset($_COOKIE[session_name()])) {
setcookie(session_name(), '', time()-42000, '/');
}
// Finally, destroy the session.
session_destroy();
header('Location: wizard.php');
?>
Taken from: session_destroy Example 1
Related
What I am trying to do:
When a user hits the index.php page (the start of a couple pages of forms), I need any existing session to be destroyed and a new one to start. This is so that old session variables are not reused in the new process.
What I have done:
I believe this should check if a session already exists, if it does, destroy it and start a new one. (Need to use session_id() for the check)
if(session_id() == '') {
session_start();
}else{
session_destroy();
session_start();
}
The issue:
The previous session variables are still set and causing issues with the process.
Am I missing something in the way to reset all session varibles?
In documentation you can read:
session_destroy() destroys all of the data associated with the current
session. It does not unset any of the global variables associated with
the session, or unset the session cookie. session_destroy();
So you have to do following things:
$_SESSION = array(); //empty session variable
$cookieParams = session_get_cookie_params();
setcookie(
session_name(),
'',
0,
$cookieParams['path'],
$cookieParams['domain'],
$cookieParams['secure'],
$cookieParams['httponly']
);
session_destroy(); //and now you can call your function
Trying to temporary store information in a multipage sign up. Because I don't want old sessions to mess with the new sign up data I'm trying to destroy the old session. The problem is the following.
Not working:
signup1.php
//Start new session
session_regenerate_id(TRUE);
session_destroy();
unset($_SESSION);
session_start();
//Store values in session
$_SESSION['created'] = time();
//Redirect to second step
header('Location: '.$settings->siteurl.'signup2.php');
exit();
signup2.php
<pre>
<?php
//Print $_SESSION (empty array)
print_r($_SESSION);
?>
Working (but returns old $_SESSION values + updated values):
//Start new session
session_regenerate_id(TRUE);
//Store values in session
$_SESSION['created'] = time();
//Redirect to second step
header('Location: '.$settings->siteurl.'signup2.php');
exit();
What could resolve the problem? First session_start(); is set in init.php but it doesn't matter if I place it above session_regenerate_id(TRUE), array stays empty.
You should use this first:
session_start(); // Starts a new or resumes an existing session
Then you may use:
session_regenerate_id(TRUE); // regenerates the active session id
The TRUE/delete_old_session parameter is used for:
Whether to delete the old associated session file or not.
The session_regenerate_id is useful to prevent session hijacking and it just regenerates a new id but keeps session data. This should be used when user's access level changes or using a time interval (i.e. after every 10 minutes) but before you regenerate another new session id you need to start the session first.
Here is a code I destroy the session but it still working.
<?php
session_start();
$_SESSION['name'] = 'Arfan';
$_SESSION['second_name'] = 'Haider';
echo 'My full name is '.$_SESSION['name'].$_SESSION['second_name'].'<br/>';
unset($_SESSION['second_name']);// unset the second_name session
echo 'My name is '.$_SESSION['name'].$_SESSION['second_name'].'<br/>';// work fine error popup
session_destroy();// Destroy all the session
echo $_SESSION['name']; // session is working here.
?>
As you can see at the end of the code session is also working why?
From docs:
In order to kill the session altogether, like to log the user out, the
session id must also be unset. If a cookie is used to propagate the
session id (default behavior), then the session cookie must be
deleted. setcookie() may be used for that.
Example:
session_start();
session_unset();
session_destroy();
session_write_close();
setcookie(session_name(),'',0,'/');
session_regenerate_id(true);
After using session_destroy(), the session cookie is removed and the session is no longer stored on the server. The values in $_SESSION may still be available, but they will not be on the next page load.
If you want to clear a session completely, you can use:
session_start();
session_destroy();
$_SESSION = array();
I have created a user page with a menu that contains a logout button. Upon clicking the button, the user is directed to a logout page with the following code:
session_start();
session_destroy();
include("/var/www/include/header.inc");
echo "<h>Logout Success</h>";
include("/var/www/include/menu.inc");
include("/var/www/include/footer.inc");
The code in the menu.inc file is written such that:
if(#$_SESSION['login'] == "yes")
{
// show expanded menu
}
else
{
// show normal menu
}
What I am seeing now after logging out is the expanded menu. It seems that the menu is being included faster than the session can be destroyed, thus creating an impression that the user is still logged in. Is there a way to avoid such a situation?
session_destroy doesn't unset the $_SESSION array, so the rest of the page after session_destroy will still see it. You could simply try this
session_destroy();
unset($_SESSION);
session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie.
Source.
To completely clear all session data you have to use something similar to
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
?>
This is explained in PHP manual:
session_destroy() destroys all of the data associated with the current
session. It does not unset any of the global variables associated with
the session, or unset the session cookie. To use the session variables
again, session_start() has to be called.
In order to kill the session altogether, like to log the user out, the
session id must also be unset. If a cookie is used to propagate the
session id (default behavior), then the session cookie must be
deleted. setcookie() may be used for that.
In my working platform i endedup with a session_destroy problem
function logout()
{
$_SESSION['id'] = '';
session_destroy();
}
Here i unset the session id variable with a null value and uses the session_destroy() function to destroy the session.
But the problem is that after logged out from my account, when i press the back button of the browser it shows the status as logged in. Even i can browse through the profile and links of my account.
Thank you
you must unset session as well as destroy session to remove it completely from your system.
you can do it with php functions..
session_unset(); or you can use unset($_SESSION);
session_destroy();
it think you should try using session_unset()
In order to kill the session altogether, like to log the user out, the session id must also be unset.
If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that
<?php
session_start();
$sessionName = session_name();
$sessionCookie = session_get_cookie_params();
session_unset();
session_destroy();
setcookie($sessionName, false, $sessionCookie['lifetime'], $sessionCookie['path'], $sessionCookie['domain'], $sessionCookie['secure']);
?>
Try this:
unset($_SESSION);
session_destroy();
session_regenerate_id();
Instead of rolling your own session code and possibly missing something, try using Zend_Session:
http://framework.zend.com/manual/en/zend.session.html
The constructor of Zend_Session_Namespace will automatically call session_start(), and likewise the Zend_Session::destroy() method will clean everything up in a logout script. Most of the work has already been done for you.