473,542 Members | 2,132 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

What does session_destroy () actually destroy?

The documentation says session_destroy () "destroys all of the data
associated with the current session". Um, like what?

The docs further say that you should remove all information in the _SESSION
global with $_SESSION = array() and you should use setcookie() to set the
session cookie to a blank value. Having done those, what does that leave
session_destroy () to do?

The page at http://au2.php.net/manual/en/functio...on-destroy.php
bandies about terms like "Unset all of the session variables", "If it's
desired to kill the session..." and "destroy the session" without actually
explaining them. That last one is used in the context of a call to
setcookie() and then again in the context of a call to session_destroy ().

My current code, which I need to be as secure as possible, doesn't call
session_destroy () because I can't see what it does. Can someone enlighten
me?

--
The email address used to post is a spam pit. Contact me at
http://www.derekfountain.org : <a
href="http://www.derekfounta in.org/">Derek Fountain</a>
Jul 17 '05 #1
3 6495
Derek Fountain wrote:
The documentation says session_destroy () "destroys all of the data
associated with the current session". Um, like what?

The docs further say that you should remove all information in the
_SESSION global with $_SESSION = array() and you should use setcookie() to
set the session cookie to a blank value. Having done those, what does that
leave session_destroy () to do?

The page at http://au2.php.net/manual/en/functio...on-destroy.php
bandies about terms like "Unset all of the session variables", "If it's
desired to kill the session..." and "destroy the session" without actually
explaining them. That last one is used in the context of a call to
setcookie() and then again in the context of a call to session_destroy ().

My current code, which I need to be as secure as possible, doesn't call
session_destroy () because I can't see what it does. Can someone enlighten
me?


Hi,

This note of Johan on the same page maybe gives a hint:

-----------------------
Johan
20-Nov-2004 03:00
Remember that session_destroy () does not unset $_SESSION at the moment it is
executed. $_SESSION is unset when the current script has stopped running.
-----------------------

So you can use the command session_destroy () to make sure you have access to
the sessionvar untill the end of the script, where your session will be
destroyed.

I must say I never use that function.
When I have authenticated a user I store a key (eg $_SEESION["userid"]) in
the session.
Every script that requires a authenticated user checks for this first.
When I want the user to log out, I simply use $_SESSION = array().

So I NEVER use the fact that a SESSION exists as a 'proof' of
authentication.
It raises all kind of problems (IMHO).
Better is: The session must exists AND it must contain a userid (or whatever
suits you).
CHeck for the existence of that key.

Hope this helps,

Regards,
Erwin Moller
Jul 17 '05 #2
Derek Fountain wrote:
The documentation says session_destroy () "destroys all of the data
associated with the current session". Um, like what?
It deletes the session file. Session file is the one which holds the
serialized session variables; should be available on session path
usually a temp directory on server.
The docs further say that you should remove all information in the _SESSION global with $_SESSION = array() and you should use setcookie() to set the session cookie to a blank value. Having done those, what does that leave session_destroy () to do?


When you session_start() , it actually populates the $_SESSION
array--the values will be available till the script ends--even if you
use session_destroy () in the middle--which is the case, you may want to
avoid-- and so $_SESSION = array().

On usual configurations, cookie will hold the session id.
session_destroy () only deletes the session file at server--it doesn't
reset the session cookie. Since, PHP's session management is
"permissive ", even if you delete the session file (and hence the
session data) with session_destroy (), in the next session_start() (the
execution of next page), it will create a session with session id which
is same as of previous (deleted) session. It happens as the session id
of previous (deleted) session is still available in the cookie. That's
why the suggestion is to reset the session cookie--so that you get new
session id (hence "pure new session").

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

Jul 17 '05 #3
Derek Fountain wrote:
My current code, which I need to be as secure as possible, doesn't call
session_destroy () because I can't see what it does. Can someone enlighten
me?


session_destroy destroys the storage for session_data. As some other
comment mentioned (which was new to me), these data (which live in
$_SESSION and the file in which they are stored for "files"-type sessions)
are destroyed after the script ends.

For maximal session security, i also destroy the session cookie:

session_destroy ();
session_id(sess ion_name(), '', time() - 3600);

or at the very least you should generate a new session id.

good ruck.
marc.

--
I am not an ANGRY man. Remove the rage from my email to reply.
Jul 17 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
2025
by: José Landoni | last post by:
Hi, I got a problem with session_destroy function I created a script but it wont work, it goes like this: <?php session_start(); session_unset(); session_destroy(); header(location:index.php); ?>
2
3296
by: Mat | last post by:
Hi, I'm trying to renew a session by using session_destroy() before starting a new session on the next page. Unfortunately, it seems that I keep getting the same SESSID (using $_REQUEST) when the session starts again. I made a test page to simplify the problem and it still happens: <? session_start(); echo "SESSID = ".$_REQUEST;
0
2691
by: Bill Davy | last post by:
I am working with MSVC6 on Windows XP. I have created an MSVC project called SHIP I have a file SHIP.i with "%module SHIP" as the first line (file is below). I run SHIP.i through SWIG 1.3.24 to obtain SHIP_wrap.cpp and SHIP.py; the latter contains the line "import _SHIP". I compile SHIP_wrap.cpp and a bunch of files into a DLL which I...
12
3277
by: Steven T. Hatton | last post by:
This is something I've been looking at because it is central to a currently broken part of the KDevelop new application wizard. I'm not complaining about it being broken, It's a CVS images. Such things happen. The whole subsystem is going through radical changes. I don't really want to say what I think of the code just yet. That would...
6
2555
by: Alfonso Morra | last post by:
I have written the following code, to test the concept of storing objects in a vector. I encounter two run time errors: 1). myClass gets destructed when pushed onto the vector 2). Prog throws a "SEGV" when run (presumably - attempt to delete deleted memory. Please take a look and see if you can notice any mistakes I'm making. Basically,...
2
1147
tolkienarda
by: tolkienarda | last post by:
hi all i am having a problem with destroying my session variables, is session_destroy() the correct way to destroy all session variables. thanks eric
28
3774
by: gnuist006 | last post by:
I have some code like this: (if (test) (exit) (do something)) or (if (test)
7
1810
by: Jivanmukta | last post by:
Hello, I am learning PHP5. I have a website that consists of two pages: index.php and summary.php. In index.php the user is automatically moved to summary.php with some $_SESSION data so I use session_end instead of session_destroy on index.php page. And the user can manually (hyperlink) go to index.php from summary.php with some $_SESSION...
1
1502
by: kummu4help | last post by:
Hi, i am posting data from a.php to b.php; a.php is something like this <html> <head> <body> <form method="post" action="b.php"> </form> </body>
0
7392
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
0
7330
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language...
0
7670
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
1
5246
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes...
0
3380
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in...
0
3376
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
1798
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
1
943
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
0
620
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.