Is this a proper way to destroy all session data in php?

Question 1

Got it from php.net, but I am not sure is this how everybody destroy all sessions?

// Unset all Sessions
$_SESSION = array();

if (isset($_COOKIE[session_name()])) {
    setcookie(session_name(), '', time() -42000, '/');
}

    session_destroy();

Does the code will destroy all the sessions?? Is it the most common way? how do you guys destroy php sessions?

Oh yeah, btw, what is that session_name()? All session name? e.g $_SESSION['var1'], $_SESSION['var2'], ... ?

I dont need to use unset($_SESSION['var1']); any more right?

Whats the different between using session_destroy() and unset($_SESSION[])?

Question 2

You should first know what sessions are: You can consider sessions as a data container on the server side that’s associated with a random identifier, the session ID. That session ID needs to be provided by the client so that the server can load the data associated to that session ID (and thus to that session) into the $_SESSION variable. Everything in that $_SESSION variable is also called session variables of the current active session.

Now to your questions:

Does the code will destroy all the sessions?? Is it the most common way? how do you guys destroy php sessions??

The provided code just deletes the session data of the current session. The $_SESSION = array(); statement will simply reset the session variable $_SESSION so that a future access on the session variable $_SESSION will fail. But the session container itself is not deleted yet. That will be done by calling session_destroy.

See also Truly destroying a PHP Session?

Oh yeah, btw, what is that session_name()?? All session name? e.g $_SESSION['var1'], $_SESSION['var2']... ?

The session_name is just used to identify the session ID parameter passed in a cookie, the URL’s query or via a POST parameter. PHP’s default value is PHPSESSID. But you can change it to whatever you want to.

I dont need to use unset($_SESSION['var1']); any more right???

No. The initial $_SESSION = array(); deletes all the session data.

Whats the different between using session_destroy and unset($_SESSION[])??

session_destroy will delete the whole session container while unset or resetting the $_SESSION variable will only delete the session data for the current runtime.

Question 3

You can modify another users session (see below), although personally, I would recommend against it. As I imagine it can open up a whole world of session hijacking and other vulnerabilities.

With your example use case

A common user is logged, while in the same time an administrator uses the Admin functions and change some value for this user. If the value is not something obtained from the database every time, the session variable for that current logged in user need to have its value changed.

You would be better of updating the value in the database and then just checking to see if it's changed before you process the next page. If you don't want to be checking multiple user fields before each page load then when you update the user in the admin panel, you can build a hash of the values and add it to a new column called session_hash. Then just compare this field on page load

But if you still want to modify another user's session, you can set your current session_id to the targets.

// End my current session and save its id
session_start();
$my_session_id = session_id();
session_write_close();

// Modify our target session 
session_id($target_id);
session_start();
$_SESSION['is_logged_in'] = false;
session_write_close();

// Start our old session again
session_id($my_session_id);
session_start();

EDIT

Example: https://www.samdjames.uk/session_example/index.php

Example Src: https://gist.github.com/SamJUK/c220e3742487567c6262238edf85695e

Question 4

But I really confused about my main problem: which way is proper, for "remember me" feature? to use cookies/session/database?

Http is a stateless protocall. Authentication token must persist to keep the state. Proper way is to use session. Now how do you track the session? It's up to you. But cookies are not bad.

In the session you can save a hash created from browser different criteria(user agent, os, screen resolution etc) to check if the token is from same environment. The more criteria you save the more itll be harder to hijack. Btw you need JavaScript to grab ths extra information every time.

Question 5

Instead of setting the time in ini to a fixed length, remind that session timeout is reset on reload. So create some ajax code that does a request every 5 minutes or so to a file (image or smth). This way the timer is reset every 5 minutes and users can spend a day filling out your forms.

Question 6

After working on this some more, I have come up with a simple, but complete example for how to use the latest History.js. Here is working jsfiddle example that does Ajax loads of HTML fragments hosted on Github

<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
    <title>Simple History.js Ajax example by dansalmo</title>

    <script type="text/javascript" src="http://code.jquery.com/jquery-1.8.2.js"></script>
    <script type="text/javascript" src="http://balupton.github.com/history.js/scripts/bundled/html4+html5/jquery.history.js"></script>

    <style type='text/css'>
      .hidden {
        display: none;
        visibility: hidden;
      }
    </style>
  </head>
  <body>
    <a href="/home">Home</a>
    <a href="/about">About</a>
    <a href="/contact">Contact</a>
    <a href="/other">Other</a>

    <p>The whole page will not re-load when the content below is updated, yet the URL is clean and the back button works!<p><br />
    <div id="content">
      <div id="home">Home Page content</div>
    </div>
    <br />
    <p>The content div will be updated with a selected div fragment from an HTML file hosted on github, however the broswer will see each content update request as a part of the page history so that the back button can be used.</p>
    <br  />
    <p>Adding more menu items is as simple as adding the new links and their corresponding html fragments.<p>
    <div id="hidden_content" class="hidden"></div>
  </body>
    <script type='text/javascript'>//<![CDATA[ 
  $(function(){
  var History = window.History;
  if (History.enabled) {
      State = History.getState();
      // set initial state to first page that was loaded
      History.pushState({urlPath: window.location.pathname}, $("title").text(), State.urlPath);
  } else {
      return false;
  }

  var loadAjaxContent = function(target, urlBase, selector) {
      $(target).load(urlBase + ' ' + selector);
  };

  var updateContent = function(State) {
      var selector = '#' + State.data.urlPath.substring(1);
    if ($(selector).length) { //content is already in #hidden_content
        $('#content').children().appendTo('#hidden_content');
        $(selector).appendTo('#content');
    } else { 
        $('#content').children().clone().appendTo('#hidden_content');
        loadAjaxContent('#content', State.url, selector);
    }
  };

  // Content update and back/forward button handler
  History.Adapter.bind(window, 'statechange', function() {
      updateContent(History.getState());
  });

  // navigation link handler
  $('body').on('click', 'a', function(e) {
      var urlPath = $(this).attr('href');
      var title = $(this).text();
      History.pushState({urlPath: urlPath}, title, urlPath);
      return false; // prevents default click action of <a ...>
  });
  });//]]>  

  </script>
</html>

Is this a proper way to destroy all session data in php?

Answers

php,session