Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What additional value does session_destroy bring when I am using session_regenerate_id(true) in PHP?

Tags:

php

session

I've been reading the manual and various pages on the web including lot's of questions here on SO. However, I've still not been able to get my head around the concept of session_destroy() in PHP in conjunction with other means of unsetting session data.

Consider this for a site that never registers session variables outside the $_SESSION superglobal array.

session_start();
$_SESSION = array();
session_regenerate_id(true); // New cookie + old session file on server deleted
session_destroy();  // What does PHP do here that was not done above?

Please note that I have built working login-logout scripts for years. This question is not about getting things to work, but I want to understand exactly what is happening.

(A lot of answers here on SO also use session_unset() which unsets registered variables. However, I never use session_register(), so that seems really redundant.)

like image 507
itpastorn Avatar asked Aug 15 '13 22:08

itpastorn


1 Answers

The session_regenerate_id() function is meant to copy or move the session data based on its corresponding identifier; it's typically used when a user logs in to prevent session fixation. Afterwards, the session is still active and it can be accessed with $_SESSION.

The session_destroy() removes the current session data. Afterwards, the session is gone and you can only start a new session using session_start().

If a user signs out of your site, the most appropriate action is to destroy the session altogether; i.e. use session_destroy().

Btw, session_register() and session_unset() are deprecated and shouldn't be used.

like image 165
Ja͢ck Avatar answered Sep 20 '22 00:09

Ja͢ck