I'm aware there is an identical question here, but the accepted answer says it is a bug with a patch, yet the link says otherwise. The link says it is intended behaviour and not a bug.
The other answers in the question are exactly what I tried to do.
$variableToPreserve = $_SESSION['foo'];
session_destroy();
session_start();
// At this point in the debugger, all previous session variables are still
// in the session anyway, making me think the session has not been destroyed yet.
$_SESSION['foo'] = $variableToPreserve;
Next request:
session_start();
// This line errors as 'foo' is not in the session.
$var = $_SESSION['foo'];
My only guess is that the session does not actually get destroyed until after that request has completed. The only way I can get it to preserve is by keeping all the session variables but really I need to destroy the session and only have 'foo' set.
Session are handeled via cookies - so (I guess) this should be the expected behaviour.
You could unset all values in the session variable manually:
foreach ($_SESSION as $k => $v) {
unset($_SESSION[$k]);
}
instead for calling:
session_destroy();
session_start();
This would effectivly clear the session for you.
I checked out the code for you, and this is the behavior that I see.
session_start();
$_SESSION['foo'] = 1;
$variableToPreserve = $_SESSION['foo'];
session_destroy();
session_start();
// At this point, the session variable is indeed destroyed, as is evident from the error that the next line throws.
echo $_SESSION['foo'];
$_SESSION['foo'] = $variableToPreserve;
echo $_SESSION['foo'];
// The above line echoes 1
Your code for session destroy is not like the one that provided by PHP Manual, for example:
http://php.net/manual/en/function.session-destroy.php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
YOU CAN TEST A DEMO: http://phpfiddle.org/lite/code/2vi-r9a
Related
!!!! I know this has been asked a zillion times but I tried everything, it just does not work so dont discard the question please
when logging from one user to the other, sessions are not discared at all and former user data are displayed
I have to CTRL+F5 the navigator to have the correct new logged user data
I tried :
problematically I replace everything in the session variable with fresh new data from the new logged user (from DB), but some fields are still remains of the previous user...this makes no sens at all
$_SESSION = array();
unset($_SESSION["end_user_session"]);
$session=$endUser; // from DB !!!!
$session["sessionID"]=session_id();
$_SESSION["end_user_session"] = $session;
on logout , I do this and it should destroy the session values, yet they are still there:
$_SESSION = array();
session_unset();
session_destroy();
session_write_close();
setcookie(session_name(),'',0,'/');
$_SESSION = array();
this has driven me nuts for more than 2 years now
we have the issue in wamp, and on our linux preprod/prod
please help, let me know if you need more infos
You have probably tried this (it's in the PHP manual), but just in case:
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
?>
I now stores everything in db, not using php sessions anymore
problem solved
Hy I am new to php and trying to destroy a session according to the php documentation here: http://php.net/manual/en/function.session-destroy.php
so I am using this code:
<?php
session_start();
echo 'cokkies before delete session';
var_dump($_COOKIE);
var_dump($_SESSION);
echo '-------------- <br>';
$_SESSION = array();
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_destroy();
echo 'cokkies after delete session';
var_dump($_COOKIE);
var_dump($_SESSION);
?>
what I dont understand is, doesnt matter how many times I run this code the PHPSESSID property in the $_COOKIE superglobal is always exactly the same.
So is then the session id on the server destroyed at all and just the id in the cookie stays alive? And overall why does it work out like this.
Thanks for the answers
Hy So I have found out why the setcookie() function didnt destroy the PHPSESSID cookie. the session_set_cookie_params() function needs to be set before starting the session and so later the setcookie() function will be able to expire the the PHPSESSID cookie.
this code works:
<?php
$lifetIme = 60 * 60 * 24 * 360;
$path = '/';
$domain = 'yourdomain';
$secure = isset($_SERVER["HTTPS"]);
$httponly = true;
session_set_cookie_params ($lifetIme, $path, $domain, $secure, $httponly);
session_start();
$expire = strtotime('-1 year');
setcookie('PHPSESSID', '', $expire, $path, $domain, $secure, $httponly);
session_destroy();
?>
it will create and then destroy the session completely and the next call to the server from the same browser wont know about the the prev session and its PHPSESSID cookie
Just use session_regenerate_id() after destroying the session.
https://secure.php.net/manual/en/function.session-regenerate-id.php
Also destroying a sessions doesn't unset a cookie.
ok hi, just wanna leave a few things out. Ok it’s simple, session destroyed doesn’t unset whats been set on cookie. Like we all know, cookies are available until the validity elapses. And even if the session get regenerated it would still update the cookie. I’ll suggest you have it controlled else if you refresh that page a million times you would still have the same result sent as an output. It’s more like doing the same thing and expecting a better result. I could write you a snippet if you want. Hope this helps
=== My discovery ==
<?php
session_start();
define('NEWLINE', '<br><br>');
echo "cookie before delete session. <br>";
var_dump($_COOKIE);
echo NEWLINE;
echo "session Here <br>";
var_dump($_SESSION);
echo NEWLINE;
echo "------------------------<br>";
$_SESSION = array();
if (ini_get('session.use_cookies'))
{
$params = session_get_cookie_params();
echo "cookie already has PHPSESSID even before you set it here ..<br>";
// The solution i could arrive with
// without this PHPSESSID wouldn't give you a new id.
session_regenerate_id();
}
// now destroy
session_destroy();
echo "Cookie here would not change. Just refresh the page and try commenting session_regenerate_id() to see the difference. <br>";
var_dump($_COOKIE);
echo "Session when destroyed. <br>";
var_dump($_SESSION);
?>
See the documentation:
session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.
… even if it did unset the session cookie, the $_COOKIES superglobal includes all the cookies that the browser sent when it made the request. It would require time travel for session_destroy to prevent the browser from sending them in the request that is currently being processed.
what I dont understand is, doesnt matter how many times I run this code the PHPSESSID property in the $_COOKIE superglobal is always exactly the same.
If you the session ID sent by the browser doesn't match an existing session, when you call start_session, then it still uses the same session ID for the new session.
session_regenerate_id forces the generation of a new id, start_session does not.
I tried to destroy all session variable by using the session_destroy() method, but after using this method, the values are not destroyed.
Why is session_destroy() not working?
Is there any other way to destroy the session in PHP?
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800))
{
session_destroy();
session_unset();
}
Perhaps is way too late to respond but, make sure your session is initialized before destroying it.
session_start() ;
session_destroy() ;
i.e. you cannot destroy a session in logout.php if you initialized your session in index.php. You must start the session in logout.php before destroying it.
After using session_destroy(), the session is destroyed behind the scenes. For some reason this doesn't affect the values in $_SESSION, which was already populated for this request, but it will be empty in future requests.
You can manually clear $_SESSION if you so desire ($_SESSION = [];).
If you need to clear the values of $_SESSION, set the array equal to an empty array:
$_SESSION = array();
Of course, you can't access the values of $_SESSION on another page once you call session_destroy, so it doesn't matter that much.
Try the following:
session_destroy();
$_SESSION = array(); // Clears the $_SESSION variable
I had to also remove session cookies like this:
session_start();
$_SESSION = [];
// If it's desired to kill the session, also
// delete the session cookie.
// Note: This will destroy the session, and
// not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
Source: geeksforgeeks.org
Actually, it works, but you also need to do $_SESSION = array(); after the session_destroy to get rid of $_SESSION variables. However, avoid doing unset($_SESSION) because that makes sessions useless.
Well, this seems a new problem for me, using a new php server. In the past never had an issue with sessions not ending.
In a test of sessions, I setup a session, ran a session count++ and closed the session. Reloaded the page and to my surprise the variable remained.
I tried the following suggestion posted by mc10
session_destroy();
$_SESSION = array(); // Clears the $_SESSION variable
However, that did not work. I did not think it could work as the session was not active after destroying it, so I reversed it.
$_SESSION = array();
session_destroy();
That worked, reloading the page starting sessios and reviewing the set variables all showed them empty/not-set.
Really not sure why session_destroy() does not work on this PHP Version 5.3.14 server.
Don't really care as long as I know how to clear the sessions.
session_destroy() is effective after the page load is complete. So in the second upload, the session is terminated. But with unset() you can also log out from within the page.
if you destroy the session on 127.0.0.1 it will not affect on localhost and vice versa
It works , but sometimes it doesn't (check the below example)
<?php
session_start();
$_SESSION['name']="shankar";
if(isset($_SESSION['name']))
{
echo $_SESSION['name']; // Outputs shankar
}
session_destroy();
echo $_SESSION['name']; // Still outputs shankar
Weird!! Right ?
How to overcome this ?
In the above scenario , if you replace session_destroy(); with unset($_SESSION['name']); it works as expected.
But i want to destroy all variables not just a single one !
Yeah there is a fix for this too. Just unset the $_SESSION array. [Credits Ivo Pereira]
unset($_SESSION);
Add session_start(); before !Doctype Declaration
<?php session_start(); ?>
<!doctype html>
<html>
<body>
<?php
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800))
{
session_destroy();
session_unset();
}
?>
</body>
</html>
Is it enough to
session_start(); // Must start a session before destroying it
if (isset($_SESSION))
{
unset($_SESSION);
session_unset();
session_destroy();
}
when the user selects Log out from a menu, but does not quit his browser? I want to totally remove all existence of the session and $_SESSION
According to the manual, there's more to do:
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
The manual link has a full working example on how to do that. Stolen from there:
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
?>
I am at a total loss for words.
I allow an admin to reset their registration if reaching an error during the process. In theory, the following code should function like this:
page is reached, $adminvalidated is set based on session data. The $_SESSION array is cleared; the cookie is cleared on the consumer end; the session id is regnerated and the session is destroyed. Then the session is restarted and the previously mentioned variable is put back into Session.
the "echo" statements included below work but when I redirect to another page (commented out below), the session variables DO NOT carry over.
Yes I have started the session on the follow up page as well.
<?php
session_start();
ob_start();
if( $_SERVER['SERVER_PORT'] == 80) {
header('Location:https://'.$_SERVER['HTTP_HOST'].$_SERVER["REQUEST_URI"]);
die();
}
$adminvalidated = $_SESSION['ADMINVALIDATED'];
$_SESSION = array();
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_regenerate_id(true);
session_destroy();
session_start();
$_SESSION['ADMINVALIDATED'] = $adminvalidated;
echo $_SESSION['ADMINVALIDATED'];
/*
header("Location: ../a.php");
exit;*/
?>
In general it suffices to call session_regenerate_id(true) to change the session ID of the current session and invalidate the association with the previous session ID.
If you additionally want to clear any session data except $_SESSION['ADMINVALIDATED'], just do this:
session_regenerate_id(true);
$_SESSION = array(
'ADMINVALIDATED' => $_SESSION['ADMINVALIDATED']
);
From the manual page of session_start:
As of PHP 4.3.3, calling session_start() after the session was previously started will result in an error of level E_NOTICE. Also, the second session start will simply be ignored.
Just clear your session with session_unset, regenerate the session id and then reset your admin var. No need to destroy then restart the session.
I'm really not sure why you're going through all of these steps. session_regenerate_id() is enough on it's own to regenerate the session token and the associated cookie. The function creates a new session token and creates a new session cookie for you while preserving the values you have in the current session. Since setting a new cookie with the same name overwrites an old one isn't simply calling session_regenerate_id() enough?
Feel free to clarify things if I've missed something.