tags:

views:

1344

answers:

3

I have heard mixed responses on this topic, so what is a sure fire way to destroy a PHP session?

session_start();
if(isset($_SESSION['foo']))
  unset($_SESSION['foo'];
//etc
session_destroy();

In the most simple of cases, would this sufficient to truly terminate the session between the user and the server?

  • Nicholas
A: 

In the one site I've made where I did use PHP sessions, I never actually destroy the session.

The problem is that you pretty much have to call session_start() to check for your $_SESSION variables, at which point, lo and behold, you've created another session anyway.

Hence on my site I just made sure that every page called session_start(), and then just unset() those parts of the session state that matter when the user logs off.

Alnitak
Thanks for input Alnitak, this is what I suspected with calling session_start() on every page. I'll just continue to unset the variables as they are used.
Nicholas Kreidberg
+1  A: 

Hi,

The PHP Manual addresses this question.

You need to kill the session and also remove the session cookie (if you are using cookies).

See this page (especially the first example):

http://us2.php.net/manual/en/function.session-destroy.php

Eli
+1  A: 

To destroy a session you should to the following steps:

  • delete the session data
  • invalidate the session ID

To do this, I’d use this:

session_start();
// resets the session data for the rest of the runtime
$_SESSION = array();
// sends as Set-Cookie to invalidate the session cookie
if (isset($_COOKIES[session_name()])) { 
    $params = session_get_cookie_params();
    setcookie(session_name(), '', 1, $params['path'], $params['domain'], $params['secure'], isset($params['httponly']));
}
session_destroy();

And to be sure that the session ID is invalid, you should only allow session IDs that were being initiated by your script. So set a flag and check if it is set:

session_start();
if (!isset($_SESSION['CREATED'])) {
    // invalidate old session data and ID
    session_regenerate_id(true);
    $_SESSION['CREATED'] = time();
}

You can use this timestamp additionally to swap the session ID periodically to reduce its lifetime:

if (time() - $_SESSION['CREATED'] > ini_get('session.gc_maxlifetime')) {
    session_regenerate_id(true);
    $_SESSION['CREATED'] = time();
}
Gumbo
Great feedback, thank you Gumbo.
Nicholas Kreidberg