stackoom
  简体   繁体   中英

Truly destroying a PHP Session?

 原文  2009-02-03 21:23:36       php/ session

Question

I have heard mixed responses on this topic, so what is a sure fire way to destroy a PHP session? 

session_start();
if(isset($_SESSION['foo'])) {
   unset($_SESSION['foo'];
   ...
}
session_destroy();

In the most simple of cases, would this sufficient to truly terminate the session between the user and the server?

4 answers

solution1
 44 ACCPTED  2009-02-03 21:50:53

To destroy a session you should take the following steps:

  • delete the session data
  • invalidate the session ID

To do this, I'd use this: 

session_start();
// resets the session data for the rest of the runtime
$_SESSION = array();
// sends as Set-Cookie to invalidate the session cookie
if (isset($_COOKIE[session_name()])) { 
    $params = session_get_cookie_params();
    setcookie(session_name(), '', 1, $params['path'], $params['domain'], $params['secure'], isset($params['httponly']));
}
session_destroy();

And to be sure that the session ID is invalid, you should only allow session IDs that were being initiated by your script. So set a flag and check if it is set: 

session_start();
if (!isset($_SESSION['CREATED'])) {
    // invalidate old session data and ID
    session_regenerate_id(true);
    $_SESSION['CREATED'] = time();
}

Additionally, you can use this timestamp to swap the session ID periodically to reduce its lifetime: 

if (time() - $_SESSION['CREATED'] > ini_get('session.gc_maxlifetime')) {
    session_regenerate_id(true);
    $_SESSION['CREATED'] = time();
}

solution2
 1  2009-02-03 21:29:58

The PHP Manual addresses this question.

You need to kill the session and also remove the session cookie (if you are using cookies).

See this page (especially the first example):

http://us2.php.net/manual/en/function.session-destroy.php

solution3
 0  2009-02-03 21:27:32

In the one site I've made where I did use PHP sessions, I never actually destroy the session.

The problem is that you pretty much have to call session_start() to check for your $_SESSION variables, at which point, lo and behold, you've created another session anyway.

Hence on my site I just made sure that every page called session_start() , and then just unset() those parts of the session state that matter when the user logs off.

solution4
 -1  2018-12-02 15:35:40

$_SESSION = [];
@unset($_COOKIE[session_name()]);
session_destroy();

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question PHP session not destroying or unsetting Destroying session PHP Destroying PHP Session Destroying session in php is SLOW working Error while destroying session in PHP Adding new PHP session variable is destroying the session Special chars in serialized object are destroying PHP session Destroying Session and User Data on browser close ( PHP) destroying session if not set using php pdo Not being redirected to a page after destroying session in php
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM