CODEWITHSUNDEEP
phpsession
Jaxovee
Jaxovee

Reputation: 135

Do I have to destroy SESSION when user logs out?

I only store logged users id in SESSION.

When a user logs out, SESSION becomes useless for me. Do I have to destroy it?

These are the methods of Utils class which I am using to start and destroy SESSION.

static function sessionSecureStart()
{
    if (session_status() == PHP_SESSION_NONE) {
        session_start();
    }
}

static function sessionSecureDestroy()
{

    //Utils::sessionSecureStart(); This part is for testing only

    if (session_status() == PHP_SESSION_ACTIVE) {
        $_SESSION = [];
        session_destroy();
    }

}

Sometimes randomly I get errors/warnings like SESSION could not be destroyed.... Am I doing something wrong?

(I am using PHP/5.5.25)

Upvotes: 2

Views: 697

Answers (3)

angelcool.net
angelcool.net

Reputation: 2546

When a user logs out, SESSION becomes useless for me. Do I have to destroy it?

Yes. Besides destroying it, it's also helpful to generate a new session-id

Sometimes randomly I get errors/warnings like SESSION could not be destroyed.... Am I doing something wrong?

You cannot destroy a session that haven't been started. Make sure you have successfully initiated your sessions with session_start(); before trying to destroy it

Upvotes: 0

Machavity
Machavity

Reputation: 31654

You don't have to destroy the whole session, just unset the parts you don't need. Let's say that when a user logs in that you set $_SESSION['user_id'] and everything that says I am logged in is looking for that variable. A simple unset($_SESSION['user_id']); and suddenly the user is logged out. Remember, your user doesn't have control over what's in the session.

Another option is to set the session cookies to very low lifetimes. It's cruder but just as effective.

Upvotes: 2

Falk
Falk

Reputation: 489

I highly advice you to destroy the session. For both security and performance.

Normally session data is saved in temporary files on the server and in a cookie on the browser, this one only contains the session id but no data.

When you call session destroy you delete this file but you also might tel the browser to delete the session cookie (sending a cookie with the same name which expires in the past). You can know the name calling the session_name() function (normally it's PHPSESSID).

Upvotes: 0

Related Questions