Reputation: 30795
Why session_ destroy() is needed?
What does session_destroy() function do? To delete all session variables in global array $_SESSION I have to use session_unset(). To remove session from the client browser (delete session id and name) I have to unset cookies:
unset($_COOKIES[session_id()]);
unset($_COOKIES[session_name()]);
Why session_destroy() function is needed?
Upvotes: 5
Views: 559
Answers (1)
Reputation: 3151
session_destroy() ends the whole session, meaning it will be removed from PHP's session storage and can't ever be used again. If you'd only unset the session variables and cookies, the session would still be active server-side and could potentially be recycled if some session variables are set again and the cookie with the original session ID is sent to the client again.
To put it in another way: a session basically consists of a secret ID stored somewhere on the web server, together with session variables registered to that session. The session ID is sent to the client (usually as a cookie) so the client can be identified as 'owner' of the session on later requests. Assuming a session has already been created and has variables registered to it, here's an overview of what the functions do:
session_start()imports all session variables belonging to the session ID that the client sent from the session registry to the$_SESSIONarraysession_unset()or callingunset()on$_SESSIONvariables will clear all variables registered to the current session, but it will not clear the session itself- Unsetting the session cookie of the client will signal to the client that the session is over, but this will not remove the session from the session registry on the server either
session_destroy()is the only function that will actually purge the session from the session registry, thus literally 'destroying' the session
While session_destroy() will unregister all session variables, it won't clear the $_SESSION array in the script that's currently executing, so it's still a good idea to unset the session variables to prevent bugs and security issues.
On a related note, the PHP manual recommends not to use session_unset() but rather unset the keys from $_SESSION:
If
$_SESSION(or$HTTP_SESSION_VARSfor PHP 4.0.6 or less) is used, useunset()to unregister a session variable, i.e.unset($_SESSION['varname']);.
Upvotes: 11
Related Questions
- How to destroy the session cookie correctly with PHP?
- Do you need to use session_unset before session_destroy?
- Why PHP session destroys when clear browser's cookie
- session_destroy cannot destroy session php
- Why should we destroy session in php?
- obscurity about session_destroy
- php session_destroy() what does it actually do?
- What does session_destroy() do in PHP?
- PHP session_destroy and session scope?
- Why `session_destroy()` does not work in PHP?