tags:

views:

57

answers:

3

I have read many php tutorials for logout scripts, i am wondering what could be the proper way to logout from a session!

Script 1

<?php
session_start();
session_destroy();
header("location:index.php");
?>

Script 2

<?php
session_start();
session_unset();
session_destroy();
header("location:index.php");
?>

Script 3

<?php
session_start();
if (isset($_SESSION['username']))
{
    unset($_SESSION['username']);
}
header("location:index.php");
?>

Is there any more effective way to do this?? A session can always be created by logging back in, so should i bother about use of session_destroy() and use unset($_SESSION['variable']) instead? which one of the above 3 script is more preferable?

+2  A: 

Session_unset(); only destroys the session variables. To end the session there is another function called session_destroy(); which also destroys the session .

update :

In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that

Haim Evgi
`session_destroy()` doesn't touch the cookie. From the docs: `In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.` http://us3.php.net/manual/en/function.session-destroy.php
ircmaxell
thanks ircmaxell
Haim Evgi
+2  A: 

Personally, I do the following:

session_start();
setcookie(session_name(), '', 100);
session_unset();
session_destroy();
$_SESSION = array();

That way, it kills the cookie, destroys all data stored internally, and destroys the current instance of the session information (which is ignored by session_destroy).

ircmaxell
does setcookie(session_name(), '', 100); posted by @ircmaxell will have better behavior than the code which @Frxstrem has posted?
Idlecool
@Frxstrem's solution is more complete (since it takes into account the exact cookie params used). Use that one instead...
ircmaxell
Oh! i get it :)
Idlecool
+2  A: 

From the session_destroy() page in the PHP manual:

<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();

// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}

// Finally, destroy the session.
session_destroy();
?>
Frxstrem