Write For Us
php
session

Truly destroying a PHP Session?

Viewed   50 times

I have heard mixed responses on this topic, so what is a sure fire way to destroy a PHP session? 

session_start();
if(isset($_SESSION['foo'])) {
   unset($_SESSION['foo'];
   ...
}
session_destroy();

In the most simple of cases, would this sufficient to truly terminate the session between the user and the server?

 Answers

5

To destroy a session you should take the following steps:

  • delete the session data
  • invalidate the session ID

To do this, I’d use this:

session_start();
// resets the session data for the rest of the runtime
$_SESSION = array();
// sends as Set-Cookie to invalidate the session cookie
if (isset($_COOKIE[session_name()])) { 
    $params = session_get_cookie_params();
    setcookie(session_name(), '', 1, $params['path'], $params['domain'], $params['secure'], isset($params['httponly']));
}
session_destroy();

And to be sure that the session ID is invalid, you should only allow session IDs that were being initiated by your script. So set a flag and check if it is set:

session_start();
if (!isset($_SESSION['CREATED'])) {
    // invalidate old session data and ID
    session_regenerate_id(true);
    $_SESSION['CREATED'] = time();
}

Additionally, you can use this timestamp to swap the session ID periodically to reduce its lifetime:

if (time() - $_SESSION['CREATED'] > ini_get('session.gc_maxlifetime')) {
    session_regenerate_id(true);
    $_SESSION['CREATED'] = time();
}
Thursday, August 18, 2022
 
latex-8a41a4df3cfa
 
latex-8a41a4df3cfa
4

You know that you've got to write session_start() before you use the $_SESSION variable in any request, right? It looks like you haven't put it in index.php anywhere.

Friday, December 16, 2022
 
spw099-1d8354bc41d5
 
spw099-1d8354bc41d5
4

No it is not a valid code. It will destroy the session at the time of loading the php page.

For destroying session on click you should write

<a href="logout.php" >Logout</a>

in logout.php 

session_destroy();
Saturday, September 17, 2022
 
jeff_atwood
 
jeff_atwood
1

CodeIgniter has a session class that does not utilize native PHP sessions.

Friday, August 5, 2022
 
gremash
 
gremash
5

Instead of setting the time in ini to a fixed length, remind that session timeout is reset on reload. So create some ajax code that does a request every 5 minutes or so to a file (image or smth). This way the timer is reset every 5 minutes and users can spend a day filling out your forms.

Saturday, November 5, 2022
 
nanobash
 
nanobash
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :
php
session
 
Share
Related Answers
96
 How to remove a variable from a PHP session array
112
 Maximum size of a PHP session
140
 How do check if a PHP session is empty?
57
 Unset a specefic session using session id
146
 When does a PHP session end?
110
 How can you check if a PHP session exists?
36
 What keeps a php session alive?
175
 Destroy a PHP session on clicking a link
69
 Has anyone created a PHP Session-like class in user code (not native)?
52
 PHP Session: How to Edit Other user's Session / Editting Session file
Top Answers Related To

php,session

180
 PHP session IDs — how are they generated?
158
 PHP session seemingly not working
84
 Same domain, different folder PHP session
485
 PHP Session not Saving
77
 Multidimensional array in php SESSION
69
 PHP session or cookie
64
 PHP Session Data Not Being Stored
332
 How to disable PHP session cookie?
49
 store mutiple values in php session
44
 PHP Session Class
Write For Us · Blog · Privacy · Faqs · Terms of Use · Contact us ·