Reputation: 181
obscurity about session_destroy
i have searched and searched and read and read a lot about what exactly session_destroy does ! but no result at least for me ! first read the details below :
When a session is created (session_start) a file is created with a unique identifier that is given to the user as a cookie, when variables in the $_SESSION array are modified or added the temporary file is updated with that information so that it can be used somewhere else on the website.*
session_destroy* will delete this file, this is commonly done for when a user logs out of your website so that the (now useless and unnecessary) file isn't taking up space.
we know that session id is stored in session cookie and as the tutorials say , session destroy removes the session cookie file (that includes session_id ) so why when i started a new session it didn't generate a new id ! it makes me confused ! look at the example :
<?php
session_start();
echo session_id();
session_destroy();
session_start();
echo "---".session_id();
?>
result : l4k80dkrl5kd6cdlobhbu5s3i1---l4k80dkrl5kd6cdlobhbu5s3i1
so it gives me the session id same as the previous one .
so what does session_destroy really do !! ?
thanks in advance
Upvotes: 2
Views: 207
Answers (2)
Reputation: 1770
You are almost correct about what you have said, BUT if you destroy the session and the script ends in PHP, thats the time file is deleted. If you just try to destroy and create it again, it uses the same file/session ID.
Its not only the file that is created, but also the file contains all the data you are storing in the session. Have a look at your session data in your server, its very interesting.
Update More interesting things you can do. Write a PHP file
<?php
session_start();
sleep(29000);//delete the session after 29 seconds
session_destroy();
?>
Now have a look at the session file, it should be deleted after 20 seconds.
Do
<?php session_start(); ?>
and go to google chrome, and remove the cookie manually from there. The session won't be available anymore.
<?php session_destroy(); ?>will not destroy the cookies on the client side. Next time you create a session, it will just use the same old information. This is the prime reason of your question.
Do file1:
<?php session_start(); $_SESSION['test'] = "A"; ?>
file2:
<?php session_start(); $_SESSION['test'] = "B"; ?>
resultFile:
<?php session_start(); echo $_SESSION['test']; ?>
Now from two computers, access your website with file1 on one computer and file2 on another. From google chrome, switch their cookie information and see how session A is assigned to B and B is assigned to A.
Upvotes: 1
Reputation: 5760
From PHP documentation:
It does not unset any of the global variables associated with the session, or unset the session cookie.
So after session_destroy() the cookie that holds the session id is still alive, and just the session file will be deleted. So start_session() tries to find the file for the session id in the cookie, and it fails of course, and it just creates a new empty file for that. So your id does not change.
If you really want to change that, try to delete the cookie.
Upvotes: 2
Related Questions
- How to destroy the session cookie correctly with PHP?
- Truly destroying a PHP Session?
- Why PHP session destroys when clear browser's cookie
- session_destroy cannot destroy session php
- php session and cookies destroy
- php session_destroy() what does it actually do?
- session_destroy() does not destroy $_SESSION datas?
- What does session_destroy() do in PHP?
- Page brings back old session after session_destroy
- Why session_ destroy() is needed?