This question already has answers here:
Prevent back button after logout
(9 answers)
Closed 8 years ago.
i have problem in End session, i have MAIN.PHP where my session starts, inside my MAIN.php i havelogout this is the code for my logout.php
<?php
unset($_SESSION['user']);
unset($_SESSION['pass']);
session_destroy();
echo"<script> window.location.href = '../index.php' ; </script>";
exit();
?>
after clicking the link logout, when i press the back button i can still access the pages and still it holds my SESSION variables.
I'm going to take a wild stab and say that this answer will solve your problem.
Per the PHP Docs For session_destroy():
session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
To sum up what seems to be your problem, the pesky session cookie (which identifies the session) is not being unset. Therefore, when you hit the back button, and session_start(); appears at the top of your script, the global session variables are still being referenced. As the other answer suggests, try:
$_SESSION = array();
to clear all of the global session data. Also, as the docs say, unset the session cookie.
you might want to add session_start() in there too
session_start();
unset($_SESSION['user']);
unset($_SESSION['pass']);
session_destroy();
header('Location: index.php');
also, i personally prefer to unset the entire session like unset($_SESSION);, but everyone has their own ways of doing things
Related
Why do people do this?
session_start();
unset($_SESSION['session']);
session_destroy();
Why do people do session_start, than unset, then destroy?
In order to destroy the currently active session, you need to start the session first. That's because session_start() resumes the currently active session. You need access to that because you want to know which session you are unsetting.
You might like to take a look at this line from the manual:
session_start() creates a session or resumes the current one based on a session identifier passed via a GET or POST request, or passed via a cookie.
Reference: PHP Manual - session_unset()
These tree steps explained:
Session_start(); -> initialize session or resumes one if you already have one.
Unset($_SESSION); -> you need to be sure that the session array won't exist once you destroy your session even in memory. You can go direct to session_destroy(); and go on, but the loaded array stills there.
Session_destroy(); -> to destroy session by removing cookies from the client.
session_start() resumes the current active session. By doing this you can access your session variables.
unset($_SESSION['session']); unset() destroys the specified variables.
session_destroy(); destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.
for more details goto http://php.net/manual/en/function.session-destroy.php
Or you can search
session_destroy() destroys session data but does not unset any of the global variables associated with session or unset the session cookie.
So why should we destroy session?
Can we destroy a session at the end of page each time the session starts in the beginning of that page giving the same functionality without destroying as well?
session_destroy() will delete the session file (if file storage is used). Otherwise the session file will reside on the server until the garbage collection deletes it. So, if you want to make sure that the stored session data is removed from the server you have to call session_destroy().
Do not call this on every page! Only after the user logs out and you do not need the stored information anymore.
Your correct approach should be to run session_destroy, and then reload the page to force the session changing actions (such as cookie deletion) to work and then the session data in PHP reloads and renews upon page reload.
Before running session destroy you should also "manually" clean the session as well so:
<?php
session_start();
if(count)$_SESSION > 0) {
// Or some other more specific cursory check if the session is populated
$_SESSION = array("","","","");
session_destroy();
header("Location: thispage.php");
exit;
}
...
Page continues....
Also please reference this answer as to how to remove session cookies on the client browser.
hey guys gt into a small problem...I am developing a quiz application ,I need to have a different session for every quiz that is being played...
session_name("random name")
session_start();
this helps me to do the work,but I have got another session being started at login page
I need to destroy the random name session once the quiz is complete
P S:both are two different session
Check the manual on that one: http://php.net/manual/en/function.session-destroy.php
Session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
I believe, that you cannot have two sessions active at the same time. If you need to store your quiz values in the session, then you'll need to prefix their indexes so they are handy and easily destroyed. You could have something like:
$_SESSION['Quiz']['Question1'] = "Yes";
$_SESSION['Quiz']['Question2'] = "No";
then when your finished with the Quiz with
unset($_SESSION['Quiz']);
1) What specifically does session_unset(); & session_destroy(); do?
2) Do I need to have both of them?
3) Do they remove all sessions for every user who has logged in or just the user who accessed the page containing this php?
4) Whats the default timeout for sessions?
Simple answer, from the docs
session_unset():
The session_unset() function frees all session variables currently registered.
session_destroy():
session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.
In some cases, yes, you should use them both.
It appears it would only unset/destroy the current session, meaning that of the individual user.
Default timeout is 1440 seconds
When I try to log out the session is destroyed but I still can go inside that page and view details without logging in first by using the Mozilla browser back button or history cache.
code for logout is
<php
session_start();
session_unset($_SESSION['user']);
//redirect to login page
header('location:login.php');
session_write_close();
?>
members page.
<php
if(!isset($_SESSION['user'])||(trim($_SESSION['user']==''))){
require('error.php');
}
else{
require('view.php');
//the function queries the db.
member_detail($user,$password);
}
In this code if I use the link to the page, it goes to the error page but if I log in, member details is displayed since the session is active so problem is after logout.
first make sure your session is destroyed using session_destroy function or unset the whole session array.
and in print the session array in test page after logout. this will give you which session variables are there. use isset method to check whether or not session variables exist.
Sometimes session_unset and session_destroy does not clear the session data.
Reference: http://www.dmxzone.com/forum/topic/14240/
I have similar experience. Perhaps it is because of not using the methods properly.
Quickfix:
if you want to unset a particular session variable:
$_SESSION["variable"]="";
That will 'unset it'
To unset the whole SESSION
$_SESSION=array();
I seriously do NOT know how valid these are as recommended programming practices, however, they work for me.
FROM the manuals
If a globalized variable is unset()
inside of a function, only the local
variable is destroyed. The variable in
the calling environment will retain
the same value as before unset() was
called.
and
session_destroy() destroys all of the
data associated with the current
session. It does not unset any of the
global variables associated with the
session, or unset the session cookie.
To use the session variables again,
session_start() has to be called.
In order to kill the session
altogether, like to log the user out,
the session id must also be unset. If
a cookie is used to propagate the
session id (default behavior), then
the session cookie must be deleted.
setcookie() may be used for that.
Perhaps other users can add more to this answer. Plus the manuals at php.net have very informative comments with sample code.