PHP: session_destroy

Opis

bool session_destroy ( void )

session_destroy() niszczy wszystkie dane skojarzone z bieżącą sesją. Nie usuwa żadnych globalnych zmiennych związanych z sesją. Nie usuwa też ciasteczka sesyjnego.

Aby "zabić" całość sesji, na przykład aby wylogować użytwkonika, należy także usunąć identyfikator sesji. Jeśli do propagowania identyfikatora sesji jużyte było ciasteczko, to usunięte musi być ciasteczko sesyjne. Można do tego użyć funkcji setcookie().

Zwraca TRUE w przypadku sukcesu, FALSE w przypadku porażki.

Przykład 1. Niszczenie sesji przy użyciu $_SESSION


<?php

// Inicjalizuj sesję

// Jeśli używasz sesion_name("cośtam"), nie zapomnij o tym teraz!

session_start();

// Usuń wszystkie zmienne sesyjne

$_SESSION = array();



// Jeśli pożądane jest zabicie sesji, usuń także ciasteczko sesyjne.

// Uwaga: to usunie sesję, nie tylko dane sesji

if (isset($_COOKIE[session_name()])) { 

   setcookie(session_name(), '', time()-42000, '/'); 

}



// Na koniec zniszcz sesję

session_destroy();

Notatka: session_unset() należy używać dla starszego kodu, który nie korzysta z $_SESSION.

Patrz także: unset() i setcookie().

User Contributed Notes


Running 4.4 under Apache 1.3 under W2K, I'm storing session data in a mysql table.  In trying to completely purge a session for security's sake, using this model as shown above:



?php

session_start(); // restore the session

$_SESSION = array(); // clear the universal var

if (isset($_COOKIE[session_name()])) {

   setcookie(session_name(), '', time()-42000, '/');

} // clobber the cookie

session_destroy(); // purge the session record

exit(); // we're done

?>



I find that the final step of purging the session record doesn't work as that example seems to imply.  Something is re-creating "for free" a data-less zombie record under the same session id immediately after the purge...which, needless to say, is unexpected and disconcerting.


in the manual says: when you use (or declared) a session var with $_SESSION you dont need to use session_register and when you want to 

well, a little note about it is follow:



<?php



session_start(); 

$item=$_SESSION['item']; 



[............]



if(isset($_GET['salir']))

{

    //session_unset();   to see that I (now) dont use session_unset() to destroy a session vars....

    session_destroy();



?> 



Since here, it has been destroy the session but not the variables, BUT when I use this page again and is executed the session_destroy() now yes  :| !! it destroy all globals variables of my last session. It means that I need 



1- destroy the session (not their vars)

2- when I run this script again without use session var (just like is in this script) it will destroy the session vars, and note that it did the session destroy.

3- I tried too put it thus:



[.........]



if(isset($_GET['salir']))

{

     //session_unset();

     session_destroy();

     session_destroy();

}



Obviously, it showed me an error message "Warning: session_destroy() [function.session-destroy]: Trying to destroy uninitialized session in W:\www\carrito\changuito.php on line xx"



Then, I cant use two time thus.



since here, I didnt use session_unset neither $_SESSION=array();



Other thing, in this manual says: if you use $_SESSION dont use session_unset(),  you should use ...  $_SESSION=array();



well, it dont work in my script, but yes when I use session_unset();



NOTE: all it with php 5.0.4 and win2k


Note that there's a bug with custom session handlers and when you want to start a session again after you have called session_destroy.



session_destroy disables the custom session_handler and this a call to session_start after it will fail with "Failed to initialize storage module".



See http://bugs.php.net/32330 for more information and a workaround.


[Editor's Note]


doing $_SESSION = array();


is faster/quicker and works aswell.


[/Note]





If you want to keep your session_id() unchanged, but you want to reset all session variables, BEWARE of unset($_SESSION). Doing so, and setting session variables (like $_SESSION['test']) afterwards has the effect, that your changes will not be saved at the end of your script (not even with session_write_close()).





So you better code like this:


foreach ($_SESSION as $VarName => $Value)  {


    unset ($_SESSION[$VarName]);


}


$_SESSION['test'] = 'MyTestValue';


I did encounter a minor problem when I tried to remove the physical file that stores the session. The problem was that my working directory wasn't on the same drive as my PHP installation (yes, I used Windows).



So I used the PHP_BINDIR to start at the same place as PHP does and then change directory to the place that was specified in PHP.INI. This makes it transparent to relative paths in session.save_path.



<?php

function DeleteSessionID($sessionid) {

  $orgpath = getcwd();

  chdir(PHP_BINDIR);

  chdir(session_save_path());

  $path = realpath(getcwd()).'/';

  if(file_exists($path.'sess_'.$sessionid)) {

    // Delete it here

    unlink($path.'sess_'.$sessionid);

  } else {

    // File not found

  }

  chdir($orgpath);

}



?>



The final chdir($orgpath) is just to restore the working directory as it were before .


For deleting the session cookie:

 setcookie( session_name() ,"",0,"/");

that worked for me.  When I ran that function without the last parameter, it didn't work.  If you leave out that parameter( domain ), it will default to the current directory, which isn't always the same as the session cookie's domain.



nick


This code might be a bit better for expiring session cookies, in case your domain, path, and/or secure session cookie settings are changed.



    $CookieInfo = session_get_cookie_params();

    if ( (empty($CookieInfo['domain'])) && (empty($CookieInfo['secure'])) ) {

        setcookie(session_name(), '', time()-3600, $CookieInfo['path']);

    } elseif (empty($CookieInfo['secure'])) {

        setcookie(session_name(), '', time()-3600, $CookieInfo['path'], $CookieInfo['domain']);

    } else {

        setcookie(session_name(), '', time()-3600, $CookieInfo['path'], $CookieInfo['domain'], $CookieInfo['secure']);

    }

    unset($_COOKIE[session_name()]);

    session_destroy();


If you use sessions with HTTP Auth, you might find the code below do what you expect:

session.h.php - should be included in every 'protected' page:

<?php

    define("HTTP_AUTH_REALM", "Your authname here");

    session_start();

    if(!isset($_SESSION["uid"]))    {

        // No session, let's lookup the user.

        if(!isset($_COOKIE['login_attempts']))

        {

            unset($_SERVER['PHP_AUTH_USER']);

            // Gives the user 30 seconds to type the password.

            // Should be enough :-)

            setcookie('login_attempts', 1,time()+30);

        }

        if(!isset($_SERVER['PHP_AUTH_USER']))

        {

            header("WWW-Authenticate: Basic realm=\"".HTTP_AUTH_REALM."\"");

            header("HTTP/1.0 401 Unauthorized");

            echo("This is for authorized users only.");

            exit;

        }

// your session registering here

// Please note to verify a password and display a 403 error.

?>



logout.php:

<?php

require('session.h.php');

// Unset session data

$_SESSION=array();

// Clear cookie

unset($_COOKIE[session_name()]);

// Destroy session data

session_destroy();

// Redirect to clear the cookie.

$time=time();

header("Location: /logged_out.html?cache_defeat=$time");

exit;

?>