How to unset the session in PHP Using Javascript?
+2
A:
You can't do it directly using JavaScript as the session is handled solely by the server; you'll need to do an Ajax call to a PHP script that unsets the session.
BoltClock
2010-06-17 09:26:17
If the cookies aren't HTTP only you could modify them with javascript right? If so, that would kill the session.
Graphain
2010-06-17 09:28:44
@Graphain: Good point. You'd still to send something to the server to let it know the cookie is gone though.
BoltClock
2010-06-17 09:54:03
@BoltClock technically, the server does not need to know the cookie is gone. If the session storage is not touched, it will be garbage collected after session.gc_maxlifetime seconds
Gordon
2010-06-17 10:04:41
If you don't know how to use cookies in PHP you should not be anywhere near sessions.
Graphain
2010-06-17 09:29:00
...this is the "dirty way" while BoltClock has the "clean way". Which one will you choose? ;-)
Palantir
2010-06-17 09:29:16
@Palantir Granted, it does not *immediately* unset the session on the server, but if the server cannot identify the session from the request anymore, the session will time out sooner or later.
Gordon
2010-06-17 09:57:40
@Gordon: I used the word "dirty" to imply a hack. If you create a session with session_start, you are supposed to kill it with a timeout, or a session_destroy, to be future-proof (in case something changes in the future versions of PHP, for example if they start using flash cookies instead of normal ones). You are overriding PHP's mechanism, so this is the reason I believe this is a hack. This said, killing the cookie will work for sure, unless he is passing PHP using SIDs on query strings, but who is doing that anyway? is PHP still falling back to it, if cookies are disabled?
Palantir
2010-06-17 11:51:11
@Palantir I wouldn't call it a hack. When the `session.cookie_lifetime` expires regularly it is not informing the server about that either. It's just gone, while the storage on the server is still there until it gets gc'd. just like `session_destroy()` would remove the session data but not unset the cookie. It just depends on what you wanna do: delete the session data or delete the link to it (or both).
Gordon
2010-06-17 12:33:09