CODEWITHSUNDEEP
phpsession
niczak
niczak

Reputation: 3917

Truly destroying a PHP Session?

I have heard mixed responses on this topic, so what is a sure fire way to destroy a PHP session? 

session_start();
if(isset($_SESSION['foo'])) {
   unset($_SESSION['foo'];
   ...
}
session_destroy();

In the most simple of cases, would this sufficient to truly terminate the session between the user and the server?

Upvotes: 19

Views: 22917

Answers (4)

zloctb
zloctb

Reputation: 11177

$_SESSION = [];
@unset($_COOKIE[session_name()]);
session_destroy();

Upvotes: -1

Gumbo
Gumbo

Reputation: 655219

To destroy a session you should take the following steps:

  • delete the session data
  • invalidate the session ID

To do this, I’d use this:

session_start();
// resets the session data for the rest of the runtime
$_SESSION = array();
// sends as Set-Cookie to invalidate the session cookie
if (isset($_COOKIE[session_name()])) { 
    $params = session_get_cookie_params();
    setcookie(session_name(), '', 1, $params['path'], $params['domain'], $params['secure'], isset($params['httponly']));
}
session_destroy();

And to be sure that the session ID is invalid, you should only allow session IDs that were being initiated by your script. So set a flag and check if it is set:

session_start();
if (!isset($_SESSION['CREATED'])) {
    // invalidate old session data and ID
    session_regenerate_id(true);
    $_SESSION['CREATED'] = time();
}

Additionally, you can use this timestamp to swap the session ID periodically to reduce its lifetime:

if (time() - $_SESSION['CREATED'] > ini_get('session.gc_maxlifetime')) {
    session_regenerate_id(true);
    $_SESSION['CREATED'] = time();
}

Upvotes: 45

Eli
Eli

Reputation: 99368

The PHP Manual addresses this question.

You need to kill the session and also remove the session cookie (if you are using cookies).

See this page (especially the first example):

https://www.php.net/manual/en/function.session-destroy.php

Upvotes: 1

Alnitak
Alnitak

Reputation: 339796

In the one site I've made where I did use PHP sessions, I never actually destroy the session.

The problem is that you pretty much have to call session_start() to check for your $_SESSION variables, at which point, lo and behold, you've created another session anyway.

Hence on my site I just made sure that every page called session_start(), and then just unset() those parts of the session state that matter when the user logs off.

Upvotes: 0

Related Questions