Menu
I'm trying to create an authentication mechanism for my PHP Application and I'm having difficulty destroying the session. I've tried unsetting the authentication token which was previously set within the session array and destroying the session through
session_destroy,
as well as resetting the session array completely before destroying the session. I'm calling the header function and going back to my index.php page at the end of the function calls. I've also tried
session_write_close
to handle closing the session. When I log the user out, I do a vardump of the session, and It shows no data present, however when I go back to the index.php page, I'm getting back the user authentication data. I also did a vardump of the Post data just to ensure I'm not somehow resubmitting the post authentication handler.
Any suggestions on what to do here?
901
A PHP session can be destroyed by session_destroy() function. This function does not need any argument and a single call can destroy all the session variables. If you want to destroy a single session variable then you can use unset() function to unset a session variable.
By default, a session in PHP gets destroyed when the browser is closed. Session timeout can be customized, to make the user's page inactive after a fixed time. Starting session: The PHP, session_start() function is used to start a session in the web page.
It can be done by clicking on the logout button or by destroying that session after a fixed time. By default the expiry time of any particular session that is created is 1440 secs i.e. (24*60) i.e. 24 minutes. But in some cases, we need to change the default time accordingly.
session_start() creates a session or resumes the current one based on a session identifier passed via a GET or POST request, or passed via a cookie. When session_start() is called or when a session auto starts, PHP will call the open and read session save handlers.
First, make sure you're calling session_start(); before calling session_destroy(); because it will only issue a warning if you don't.
Also, from PHP: session_destroy:
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
70
Also worth noting about PHP sessions, session_unset() > session_destroy(); I do not know why. After reading the PHP Manual entry on session_destroy(), it seems to only remove data within the current context, and not actually clear it from the flat session file, so if you didn't clear the cookie you could get it right back. This seems highly counter-intuitive (as PHP often is), and might be the reason why I decided (and then promptly forgot the reason) years ago to always use session_unset() over session_destroy().
Also, make sure your redirect is occurring after you do all this session nonsense, as PHP acts in ways which not all developers expect. Best Practice, IMO, is to follow every header('Location: ...'); call with a die;
31
Are you sure the page isn't cached?
Write over the authentication token:
session_start();
$_SESSION['varName'] = null;
$_SESSION = array();
session_destroy();
If you use only session_unset() then buggy IE still keeps data my suggestion is to use both.
38
answered Nov 14 '22 21:11
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
