There are lots of pages on stackoverflow about destorying session. Trust me, I have been reading them all and I came across this: Why does my session remain?
My question is simple, is it really true that I need to do all of the below just to properly destroy a session?
$tmp = session_id();
session_destroy();
session_id($tmp);
unset($tmp);
This is the only page that suggests such extreme measures. Most pages just suggest session_destroy();.
Just to clarify because there seems to be some confusion I am looking for the most efficent method that is effective.
Thanks in advance.
New answers have stopped coming in so I am putting in what I learnt based on all of the answers. This is an aggregation of the various answers. Hopefully it will help others. The most efficient method that is 100% effective for destroying a session is listed below:
if (ini_get("session.use_cookies"))
{
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
$_SESSION = array();
$tmp = session_id();
session_id($tmp);
unset($tmp);
session_unset();
session_destroy();
session_write_close();
session_regenerate_id(True); // true indicates the need to delete the old session
Thanks to everyone for their help showing me how to do this. This was not a single person effort. I would particularly like to thank #Kerrek SB, #Uday #Dhruvisha. If you have more suggests please feel free to add comments and I will edit my answer.
session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
Example Destroying a session with $_SESSION
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
?>
Please see here for more details.
<?php
session_start();
$s_id = session_id();
echo $s_id;
session_destroy();
session_unset();
session_start();
session_regenerate_id(true);
$s_id = session_id();
?>
Try this . It will work.
Related
!!!! I know this has been asked a zillion times but I tried everything, it just does not work so dont discard the question please
when logging from one user to the other, sessions are not discared at all and former user data are displayed
I have to CTRL+F5 the navigator to have the correct new logged user data
I tried :
problematically I replace everything in the session variable with fresh new data from the new logged user (from DB), but some fields are still remains of the previous user...this makes no sens at all
$_SESSION = array();
unset($_SESSION["end_user_session"]);
$session=$endUser; // from DB !!!!
$session["sessionID"]=session_id();
$_SESSION["end_user_session"] = $session;
on logout , I do this and it should destroy the session values, yet they are still there:
$_SESSION = array();
session_unset();
session_destroy();
session_write_close();
setcookie(session_name(),'',0,'/');
$_SESSION = array();
this has driven me nuts for more than 2 years now
we have the issue in wamp, and on our linux preprod/prod
please help, let me know if you need more infos
You have probably tried this (it's in the PHP manual), but just in case:
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
?>
I now stores everything in db, not using php sessions anymore
problem solved
When I signout, I call the following to destroy the session. It works in other browsers but in Chrome, the session is still there.
session_unset();
session_destroy();
Please help if I there's a special way to do it in Chrome and other browsers.
When in doubt, check the manual:
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
session is stored on server - it have nothing to do with browser ( in browser could be only cookie with session id or something like )
My PHP session seems to not be unsetting. When I return to the home page after clicking logout, if I refresh the page again then it seems to log me back in.. as if the session never actually ended. The same occurs if I leave the page and re-visit it. Here is my logout.php page:
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
header("Location: index.php");
?>
I really have no idea why it's doing this, any help would DEFINITELY be appreicated. If you need anymore information I'd be happy to provide some. Thanks!
You can use below code in your logout.php
session_start();
unset($_SESSION['var_name']); // delete just the session of va_name data
session_destroy(); // delete ALL session info/Data.
In our website, we have applied lots of session variables. After setting, we shall unset them to free the server resources.
Apart from unset each session one by one, would there be any function that can check a website that has session variables not being unset yet?
Thank you.
To unset a single record, use
unset($_SESSION['varname']);
To clear a full session, use
session_destroy();
A session is removed automatically, when it is not accessed for a while (configurable via php.ini). Because of this it is not required to remove orphaned session data yourself.
This can be done with session_destroy();
http://www.php.net/manual/en/function.session-destroy.php
You need session_destroy();
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
?>
Also unset the cookie created by the session!
Is it enough to
session_start(); // Must start a session before destroying it
if (isset($_SESSION))
{
unset($_SESSION);
session_unset();
session_destroy();
}
when the user selects Log out from a menu, but does not quit his browser? I want to totally remove all existence of the session and $_SESSION
According to the manual, there's more to do:
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
The manual link has a full working example on how to do that. Stolen from there:
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
?>