I get "Session object destruction failed" when I use session_destroy().
session_start();
if(isset($_SESSION['user_id'])){
$_SESSION=array();
if(isset($_COOKIE[session_name()])){
setcookie(session_name(),'',0,"/");
}
session_destroy();
}
What causes this error?
You can modify another users session (see below), although personally, I would recommend against it. As I imagine it can open up a whole world of session hijacking and other vulnerabilities.
With your example use case
A common user is logged, while in the same time an administrator uses the Admin functions and change some value for this user. If the value is not something obtained from the database every time, the session variable for that current logged in user need to have its value changed.
You would be better of updating the value in the database and then just checking to see if it's changed before you process the next page. If you don't want to be checking multiple user fields before each page load then when you update the user in the admin panel, you can build a hash of the values and add it to a new column called session_hash. Then just compare this field on page load
But if you still want to modify another user's session, you can set your current session_id to the targets.
// End my current session and save its id
session_start();
$my_session_id = session_id();
session_write_close();
// Modify our target session
session_id($target_id);
session_start();
$_SESSION['is_logged_in'] = false;
session_write_close();
// Start our old session again
session_id($my_session_id);
session_start();
EDIT
Example: https://www.samdjames.uk/session_example/index.php
Example Src: https://gist.github.com/SamJUK/c220e3742487567c6262238edf85695e
Problem solved. The thing that i did was to empty the session and regenerate the id, then destroy it. I don't fully understand the problem, but it kinda does the job:
<?php
session_start();
if(isset($_SESSION['id_client']) && isset($_POST['ok'])){
$_SESSION=array();
session_regenerate_id();
session_destroy();
echo 1;
}
?>
Instead of setting the time in ini to a fixed length, remind that session timeout is reset on reload. So create some ajax code that does a request every 5 minutes or so to a file (image or smth). This way the timer is reset every 5 minutes and users can spend a day filling out your forms.
This is explained in the Guide to Testing Rails Applications in section 4 "Functional Tests for your Controllers. The get action takes a params hash and a session hash, e.g.:
get(:show, {'id' => "12"}, {'user_id' => 5})
You should be able to pass in nil for the params hash in your example, then pass in your desired session parameters:
get :index, nil, {coupon: 'abcd'}
I recommend a thorough reading of the Rails guide for anyone using RSpec for Rails testing. rspec-rails leverages the existing Rails test classes, a point which is not made very clear in the rspec-rails docs.
Error:
It's rather trivial, no session
has been startedobject has been comitted, so you can't destroy it.The
@operator is not always active, e.g. with error reporting functions.Edit:
This error is normally caused when PHP tries to delete the session file, but it can't find it.
In your case with
session_destroythere is only one place in PHP which causes this. That's when thesession.save_handler(see as wellsession_set_save_handler) returnsFALSEfor the destroy action. This can depends which type of save-handler you use, the default one is files. With that one, when thesession.save_pathsetting is wrong (e.g. not an accessible directory), this would cause such an error.That depends how the output is created and on PHP configuration.
@does not always work. For example callbacks registered withset_error_handlerwill still receive these messages.