Menu
I've been reading the manual and various pages on the web including lot's of questions here on SO. However, I've still not been able to get my head around the concept of session_destroy() in PHP in conjunction with other means of unsetting session data.
Consider this for a site that never registers session variables outside the $_SESSION superglobal array.
session_start();
$_SESSION = array();
session_regenerate_id(true); // New cookie + old session file on server deleted
session_destroy(); // What does PHP do here that was not done above?
Please note that I have built working login-logout scripts for years. This question is not about getting things to work, but I want to understand exactly what is happening.
(A lot of answers here on SO also use session_unset() which unsets registered variables. However, I never use session_register(), so that seems really redundant.)
507
The session_regenerate_id() function is meant to copy or move the session data based on its corresponding identifier; it's typically used when a user logs in to prevent session fixation. Afterwards, the session is still active and it can be accessed with $_SESSION.
The session_destroy() removes the current session data. Afterwards, the session is gone and you can only start a new session using session_start().
If a user signs out of your site, the most appropriate action is to destroy the session altogether; i.e. use session_destroy().
Btw, session_register() and session_unset() are deprecated and shouldn't be used.
165
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
