41

I have read many php tutorials for logout scripts, i am wondering what could be the proper way to logout from a session!

Script 1

<?php
session_start();
session_destroy();
header("location:index.php");
?>

Script 2

<?php
session_start();
session_unset();
session_destroy();
header("location:index.php");
?>

Script 3

<?php
session_start();
if (isset($_SESSION['username']))
{
    unset($_SESSION['username']);
}
header("location:index.php");
?>

Is there any more effective way to do this?? A session can always be created by logging back in, so should i bother about use of session_destroy() and use unset($_SESSION['variable']) instead? which one of the above 3 script is more preferable?

Shiv Deepak
  • 3,122
  • 5
  • 34
  • 49
  • 1
    keep in mind you'd want to exit() after the header redirect to avoid exposing the content that might follow... – Julix Jun 20 '17 at 02:13

4 Answers4

75

From the session_destroy() page in the PHP manual:

<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();

// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}

// Finally, destroy the session.
session_destroy();
?>
Frxstrem
  • 38,761
  • 9
  • 79
  • 119
  • 1
    Could explain this part please? `$["path"], $params["domain"], $params["secure"], $params["httponly"]);`. I did not get what you are doing here – Mohammed Noureldin Dec 25 '17 at 19:29
  • 2
    @MohammedNoureldin the $params is getting the current params in order to make sure the same params are used for removing it. It helps this code work more generally in cases where non-default parameters were used. – Zack Huston Apr 16 '18 at 16:30
17

Personally, I do the following:

session_start();
setcookie(session_name(), '', 100);
session_unset();
session_destroy();
$_SESSION = array();

That way, it kills the cookie, destroys all data stored internally, and destroys the current instance of the session information (which is ignored by session_destroy).

ircmaxell
  • 163,128
  • 34
  • 264
  • 314
  • 1
    does setcookie(session_name(), '', 100); posted by @ircmaxell will have better behavior than the code which @Frxstrem has posted? – Shiv Deepak Aug 18 '10 at 13:37
  • 3
    @Frxstrem's solution is more complete (since it takes into account the exact cookie params used). Use that one instead... – ircmaxell Aug 18 '10 at 13:39
6

Session_unset(); only destroys the session variables. To end the session there is another function called session_destroy(); which also destroys the session .

update :

In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that

Haim Evgi
  • 123,187
  • 45
  • 217
  • 223
  • 3
    `session_destroy()` doesn't touch the cookie. From the docs: `In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.` http://us3.php.net/manual/en/function.session-destroy.php – ircmaxell Aug 18 '10 at 13:26
6
<?php
// Initialize the session.
session_start();
// Unset all of the session variables.
unset($_SESSION['username']);
// Finally, destroy the session.    
session_destroy();

// Include URL for Login page to login again.
header("Location: login.php");
exit;
?>
Optimaz Prime
  • 857
  • 10
  • 11
  • 5
    While this code snippet may solve the question, [including an explanation](http://meta.stackexchange.com/questions/114762/explaining-entirely-code-based-answers) really helps to improve the quality of your post. Remember that you are answering the question for readers in the future, and those people might not know the reasons for your code suggestion. – Derek Brown Jul 13 '18 at 06:19
  • 1
    just did t Thank you @DerekBrown – Optimaz Prime Jul 13 '18 at 06:46