473,789 Members | 2,925 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

What does session_destroy () actually destroy?

The documentation says session_destroy () "destroys all of the data
associated with the current session". Um, like what?

The docs further say that you should remove all information in the _SESSION
global with $_SESSION = array() and you should use setcookie() to set the
session cookie to a blank value. Having done those, what does that leave
session_destroy () to do?

The page at http://au2.php.net/manual/en/functio...on-destroy.php
bandies about terms like "Unset all of the session variables", "If it's
desired to kill the session..." and "destroy the session" without actually
explaining them. That last one is used in the context of a call to
setcookie() and then again in the context of a call to session_destroy ().

My current code, which I need to be as secure as possible, doesn't call
session_destroy () because I can't see what it does. Can someone enlighten
me?

--
The email address used to post is a spam pit. Contact me at
http://www.derekfountain.org : <a
href="http://www.derekfounta in.org/">Derek Fountain</a>
Jul 17 '05 #1
3 6513
Derek Fountain wrote:
The documentation says session_destroy () "destroys all of the data
associated with the current session". Um, like what?

The docs further say that you should remove all information in the
_SESSION global with $_SESSION = array() and you should use setcookie() to
set the session cookie to a blank value. Having done those, what does that
leave session_destroy () to do?

The page at http://au2.php.net/manual/en/functio...on-destroy.php
bandies about terms like "Unset all of the session variables", "If it's
desired to kill the session..." and "destroy the session" without actually
explaining them. That last one is used in the context of a call to
setcookie() and then again in the context of a call to session_destroy ().

My current code, which I need to be as secure as possible, doesn't call
session_destroy () because I can't see what it does. Can someone enlighten
me?


Hi,

This note of Johan on the same page maybe gives a hint:

-----------------------
Johan
20-Nov-2004 03:00
Remember that session_destroy () does not unset $_SESSION at the moment it is
executed. $_SESSION is unset when the current script has stopped running.
-----------------------

So you can use the command session_destroy () to make sure you have access to
the sessionvar untill the end of the script, where your session will be
destroyed.

I must say I never use that function.
When I have authenticated a user I store a key (eg $_SEESION["userid"]) in
the session.
Every script that requires a authenticated user checks for this first.
When I want the user to log out, I simply use $_SESSION = array().

So I NEVER use the fact that a SESSION exists as a 'proof' of
authentication.
It raises all kind of problems (IMHO).
Better is: The session must exists AND it must contain a userid (or whatever
suits you).
CHeck for the existence of that key.

Hope this helps,

Regards,
Erwin Moller
Jul 17 '05 #2
Derek Fountain wrote:
The documentation says session_destroy () "destroys all of the data
associated with the current session". Um, like what?
It deletes the session file. Session file is the one which holds the
serialized session variables; should be available on session path
usually a temp directory on server.
The docs further say that you should remove all information in the _SESSION global with $_SESSION = array() and you should use setcookie() to set the session cookie to a blank value. Having done those, what does that leave session_destroy () to do?


When you session_start() , it actually populates the $_SESSION
array--the values will be available till the script ends--even if you
use session_destroy () in the middle--which is the case, you may want to
avoid-- and so $_SESSION = array().

On usual configurations, cookie will hold the session id.
session_destroy () only deletes the session file at server--it doesn't
reset the session cookie. Since, PHP's session management is
"permissive ", even if you delete the session file (and hence the
session data) with session_destroy (), in the next session_start() (the
execution of next page), it will create a session with session id which
is same as of previous (deleted) session. It happens as the session id
of previous (deleted) session is still available in the cookie. That's
why the suggestion is to reset the session cookie--so that you get new
session id (hence "pure new session").

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

Jul 17 '05 #3
Derek Fountain wrote:
My current code, which I need to be as secure as possible, doesn't call
session_destroy () because I can't see what it does. Can someone enlighten
me?


session_destroy destroys the storage for session_data. As some other
comment mentioned (which was new to me), these data (which live in
$_SESSION and the file in which they are stored for "files"-type sessions)
are destroyed after the script ends.

For maximal session security, i also destroy the session cookie:

session_destroy ();
session_id(sess ion_name(), '', time() - 3600);

or at the very least you should generate a new session id.

good ruck.
marc.

--
I am not an ANGRY man. Remove the rage from my email to reply.
Jul 17 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
3
2037
problems with session_destroy
by: José Landoni | last post by:
Hi, I got a problem with session_destroy function I created a script but it wont work, it goes like this: <?php session_start(); session_unset(); session_destroy(); header(location:index.php); ?>
PHP
2
3306
Same SESSID after session_destroy
by: Mat | last post by:
Hi, I'm trying to renew a session by using session_destroy() before starting a new session on the next page. Unfortunately, it seems that I keep getting the same SESSID (using $_REQUEST) when the session starts again. I made a test page to simplify the problem and it still happens: <? session_start(); echo "SESSID = ".$_REQUEST;
PHP
0
2727
SWIG/IDLE/Python: F5 SHIP.py works but "import SHIP" gives "ImportError: dynamic module does not define init function (initSHIP)"
by: Bill Davy | last post by:
I am working with MSVC6 on Windows XP. I have created an MSVC project called SHIP I have a file SHIP.i with "%module SHIP" as the first line (file is below). I run SHIP.i through SWIG 1.3.24 to obtain SHIP_wrap.cpp and SHIP.py; the latter contains the line "import _SHIP". I compile SHIP_wrap.cpp and a bunch of files into a DLL which I have the
Python
12
3304
What do other's make of this code?
by: Steven T. Hatton | last post by:
This is something I've been looking at because it is central to a currently broken part of the KDevelop new application wizard. I'm not complaining about it being broken, It's a CVS images. Such things happen. The whole subsystem is going through radical changes. I don't really want to say what I think of the code just yet. That would influence the opinions of others, and I really want to know how other people view these things,...
C / C++
6
2582
Storing objects in vectors - what's wrong with this code?
by: Alfonso Morra | last post by:
I have written the following code, to test the concept of storing objects in a vector. I encounter two run time errors: 1). myClass gets destructed when pushed onto the vector 2). Prog throws a "SEGV" when run (presumably - attempt to delete deleted memory. Please take a look and see if you can notice any mistakes I'm making. Basically, I want to store classes of my objects in a vector. I also have three further questions:
C / C++
2
1165
tolkienarda
session_destroy()
by: tolkienarda | last post by:
hi all i am having a problem with destroying my session variables, is session_destroy() the correct way to destroy all session variables. thanks eric
PHP
28
3815
How to exit out of a function ? what is try-catch-throw in terms of Program Counter
by: gnuist006 | last post by:
I have some code like this: (if (test) (exit) (do something)) or (if (test)
C / C++
7
1820
newbie: do I have to have session_destroy
by: Jivanmukta | last post by:
Hello, I am learning PHP5. I have a website that consists of two pages: index.php and summary.php. In index.php the user is automatically moved to summary.php with some $_SESSION data so I use session_end instead of session_destroy on index.php page. And the user can manually (hyperlink) go to index.php from summary.php with some $_SESSION data so I also use session_end, not session_destroy, on summary.php. Thus, I have no session_destroy...
PHP
1
1513
what happens to form data if we destroy session
by: kummu4help | last post by:
Hi, i am posting data from a.php to b.php; a.php is something like this <html> <head> <body> <form method="post" action="b.php"> </form> </body>
PHP
0
9511
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
Windows Server
0
10410
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
0
10200
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
1
10139
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
Windows Server
0
9020
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
1
7529
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
6769
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
5551
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
2
3701
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us