In my application, when the user logs out, I want to destroy all the current user's sessions. Do I unset each session used in the application and then call session_destroy() or just call session_destroy()?
Thank you!
session_destroy() does not destroy all user's sessions. You would need to write to a persistent storage media (database, text file, etc.) and then call session_destroy() to kill it's own session. Then, have all pages check it when they load. If it has some special command in it (for example, normal is 0, destroy command is 1), have them call session_destroy().
session_unset(): Remove all session vars. In the 1rst F5 no longer display the session variables.
session_destroy(): Delete the current session. In the 2dn F5 no longer display the session variables.
Therefore your logout.php script could be:
<?php
session_start();
...
// remove all session variables
session_unset();
// destroy the session
session_destroy();
// Redirect to home
header("Location: home.php");
exit();
The session_destroy() function should unset all sessions that you have set. So yes, you should only have to call that. You can test it by calling session_destroy() then trying to echo a session value, if it echoes then it's not worked, if an error of some description appears, then the session has successfully been destroyed.
Related
According to w3schools (https://www.w3schools.com/php/php_sessions.asp) to remove a session (log out) you should do it this way:
session_unset();
session_destroy();
But I don't understand why you'd have to unset all session variables first, wouldn't just session_destroy be enough?
You can find the following information on the official documentation (https://php.net) about session_destroy:
It does not unset any of the global variables associated with the session, or unset the session cookie.
source: http://php.net/manual/en/function.session-destroy.php
And the documentation of session_unset says the following:
The session_unset() function frees all session variables currently registered.
source: http://php.net/manual/en/function.session-unset.php
So with these informations you have to call the following to clear a session completely:
session_unset();
session_destroy();
You don't want to clear the whole session?
In case your are using a system to login and logout a user, you can also remove specific fields of the session using unset:
unset($_SESSION['username']);
unset($_SESSION['other_user_data']);
In this case you only remove data of the user and not data for other parts of your application not related to the user.
I have used session_destroy in MVC pattern.
If I click logout link, it will redirect correct url but page disappears. It is displaying the below error in Firefox.
The page isn't redirecting properly
Firefox has detected that the server is redirecting the request for this address in
a way that will never complete.
This problem can sometimes be caused by disabling or refusing to accept cookies."
This is the function I'm using for logout.
Logout function:(Not working)
public function Logout(){
session_destroy();
$this->redirect('index.php?r=admin/login');
}
I have unset($_SESSION['userName']) the session variable. It is working fine. But session_destroy is not working in that place.
What is the reason for that?
Logout function:(working)
public function Logout(){
unset($_SESSION['userName']);
$this->redirect('index.php?r=admin/login');
}
you can use another way to remove session like:-
$_SESSION = array(); // define it with empty array and clear the session values
or use start the session again and then destroy
session_start();
session_destroy();
For more :- why session_destroy() not working
and for better understanding you can read #Chen Asraf answer
From the PHP documentation of session_destroy:
session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
So in order to truly get rid of the session, you also have to unset or override the $_SESSION superglobal, like you did before.
I have a website in which I set several variables like
$_SESSION["id"]
$_SESSION["email"]
$_SESSION["role"]
When user clicks on logout should I use session_destroy() or unset all the variables,
it has no special impact on my site, but considering the fact that my sessions are stored on elastic cached with Redis?
I think unless I do session_destroy() the session will not be removed from Redis,(thus occupying memory)
Any help?
Use session_destroy() if you are using it as a logout link, it will get rid of all session data without really having to worry about it. Just remember you have to refresh or redirect because the variables are still set on that page after you use session_destroy
Source: Session unset, or session_destroy?
Depends on if you want to keep any other session data. I only use session_destroy() when I'm positive I want to wipe out the entire user session, otherwise I unset()
You can simply use session_destroy() function. Create a logout.php page and add the following code,
<?php
session_destroy();
header('Location: index.php');
?>
Then call this logout.php by adding links to these page,
Logout
This will destroy your session and re-direct to your index.php page.
Unset will destroy a particular session variable like unset($_SESSION['id']); whereas session_destroy() will destroy all the session data for that user.
I found on the Internet sometimes extended session_destroy, what I use:
function sessionDestroy()
{
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params['path'], $params['domain'],
$params['secure'], $params['httponly']
);
session_destroy();
}
When I log a user out of an app I am building I use session_destroy();
But when I go back to the page, all session variables are still set.
How can I completely destroy all session variables and ultimately require a user to log back in again?
Here is my code:
session_unset(); // clears all session variables
$_SESSION = array();
session_destroy(); // deletes session id
Thanks
After using session_destroy(), the session cookie is removed and the session is no longer stored on the server. The values in $_SESSION may still be available, but they will not be on the next page load.
If you need to clear the values of $_SESSION, set the array equal to an empty array:
Of course, you can't access the values of $_SESSION on another page once you call session_destroy, so it doesn't matter that much.Still if you are concerned .
Try the following:
session_destroy();
$_SESSION = array(); // Clears the $_SESSION variable
you are not calling session_destroy() for sure, your code may be unable to access it.
Post more code so we could help you
In my working platform i endedup with a session_destroy problem
function logout()
{
$_SESSION['id'] = '';
session_destroy();
}
Here i unset the session id variable with a null value and uses the session_destroy() function to destroy the session.
But the problem is that after logged out from my account, when i press the back button of the browser it shows the status as logged in. Even i can browse through the profile and links of my account.
Thank you
you must unset session as well as destroy session to remove it completely from your system.
you can do it with php functions..
session_unset(); or you can use unset($_SESSION);
session_destroy();
it think you should try using session_unset()
In order to kill the session altogether, like to log the user out, the session id must also be unset.
If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that
<?php
session_start();
$sessionName = session_name();
$sessionCookie = session_get_cookie_params();
session_unset();
session_destroy();
setcookie($sessionName, false, $sessionCookie['lifetime'], $sessionCookie['path'], $sessionCookie['domain'], $sessionCookie['secure']);
?>
Try this:
unset($_SESSION);
session_destroy();
session_regenerate_id();
Instead of rolling your own session code and possibly missing something, try using Zend_Session:
http://framework.zend.com/manual/en/zend.session.html
The constructor of Zend_Session_Namespace will automatically call session_start(), and likewise the Zend_Session::destroy() method will clean everything up in a logout script. Most of the work has already been done for you.