Reputation: 183929
Consider the following code:
if (!session_id())
echo session_id();
How come everytime I refresh this page it shows the same session id, even though the session gets destroyed and recreated each time? Isn't the session id cleared upon session destruction?
I've used this updated code, based on the favorite answer- however, the session id STILL perists! Any ideas?
if (!session_id())
echo session_id();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
// Finally, destroy the session.
Upvotes: 1
Views: 1160
Reputation: 2260
session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
The manual comes with a code-example:
Example #1 Destroying a session with $_SESSION
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
// Finally, destroy the session.
** Update **
PHP Version 5.3.6-13 Linux lime 3.0.0-1-686-pae #1 SMP Wed Aug 17 04:28:34 UTC 2011 i686
Apache/2.2.19 (Debian)
Session Settings (phpinfo)
Directive Local Value Master Value
session.auto_start Off Off
session.bug_compat_42 Off Off
session.bug_compat_warn Off Off
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_httponly Off Off
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 1000 1000
session.gc_maxlifetime 1440 1440
session.gc_probability 0 0
session.hash_bits_per_character 5 5
session.hash_function 0 0 PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path /var/lib/php5 /var/lib/php5
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies On On
session.use_trans_sid 0 0
So. Following settings results in the same problem. if, and only if i'm sening the session id as a request parameter locahost?PHPSESSID=whatever
ini_set('session.auto_start', 'on');
ini_set('session.use_trans_sid', 'on');
ini_set('session.use_cookies', 'off');
ini_set('session.use_only_cookies', 'off');
echo session_id();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
// Finally, destroy the session.
IMPORTANT: this settings are valuable to Session Hijacking [Session fixation]
Upvotes: 6
Reputation: 50982
It do not destroy your sessionID
so you'd use just
echo session_id();
Upvotes: 0