51

I tried to destroy all session variable by using the session_destroy() method, but after using this method, the values are not destroyed.

Why is session_destroy() not working?

Is there any other way to destroy the session in PHP?

if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) 
{   
    session_destroy();   
    session_unset();     
}
Alessandro
  • 900
  • 12
  • 23
Rajasekar Gunasekaran
  • 1,799
  • 3
  • 24
  • 40
  • 1
    Please show us the code you are using. – Charles Jun 24 '11 at 18:23
  • 2
    "It won't work" is not much of a question. Can you explain what doesn't work? Can you `array_dump` `$_SESSION` for instance? – Kevin Ji Jun 24 '11 at 18:24
  • 1
    I'm still dieing to know what you meant by http://stackoverflow.com/questions/6471182/how-to-configure-gmail-in-php-at-run-time – Mike B Jun 24 '11 at 18:30
  • 2
    in this case, just `unset($_SESSION['LAST_ACTIVITY']);` after `session_destroy();` will clear the variable. – yitwail Jun 24 '11 at 18:31

10 Answers10

127

Perhaps is way too late to respond but, make sure your session is initialized before destroying it.

session_start() ;
session_destroy() ;

i.e. you cannot destroy a session in logout.php if you initialized your session in index.php. You must start the session in logout.php before destroying it.

R.D.
  • 1,557
  • 2
  • 10
  • 11
  • 11
    This should be the accepted answer as "session_destroy" won't work without "session_start". – Andrew Aug 12 '14 at 15:28
  • This answer is not correct. First, it's bad practice to suppress errors. Second, it destroys the session but it does not unset the session variables or invalidate the session cookie. This answer is very much incomplete. – Nilpo May 31 '16 at 07:22
  • @Nilpo the question here is "why is session_destroy not working", not "unset session variables". OP misunderstood what session_destroy really did. – keanu_reeves Jan 14 '20 at 21:19
  • @keanu_reeves: OP says (barring typos etc.) "I tried to destroy all session variables by using `session_destroy()`, but after using this method, the values are not destroyed." And OP seems to have accepted the correct answer accordingly. (However, there's still the mystery of how come that `session_unset()` didn't do it for him.) – Sz. Jun 08 '20 at 22:09
  • @keanu_reeves, Ahh, but "studying" the edit history of the question, there's a complete alternative storyline lurking in there! :) It's quite possible that also the first editor (kevinji) (understandably) misunderstood the q., and then OP, misunderstanding the intent of the update, approved the changes, and it then all just seem to have gone hopelessly astray. :) (Nevertheless, the result is an informative page.) – Sz. Jun 08 '20 at 23:03
  • Helped in my case..I created a logout.php and gave session destroy. Forgot starting session first. Thanks – Allen Johnson Jul 20 '21 at 20:43
64

After using session_destroy(), the session is destroyed behind the scenes. For some reason this doesn't affect the values in $_SESSION, which was already populated for this request, but it will be empty in future requests.

You can manually clear $_SESSION if you so desire ($_SESSION = [];).

Andrea
  • 19,134
  • 4
  • 43
  • 65
  • as a note, there is a function named `session_unset` if the OP needs that too. – Gabi Purcaru Jun 24 '11 at 18:26
  • 15
    @Gabi, `session_unset` is used for the PHP3-era global registration thing and should no longer be used. – Charles Jun 24 '11 at 18:31
  • 4
    session_destroy() does not remove the session cookie. It should be invalidated manually. – Nilpo May 31 '16 at 07:19
  • Thank you for `$_SESSION = [];` I am sure I should not use it but it clears out the session and that is all I need. To hack is to live. – BeNice Jul 26 '19 at 13:04
18

If you need to clear the values of $_SESSION, set the array equal to an empty array:

$_SESSION = array();

Of course, you can't access the values of $_SESSION on another page once you call session_destroy, so it doesn't matter that much.

Try the following:

session_destroy();
$_SESSION = array(); // Clears the $_SESSION variable
Kevin Ji
  • 10,479
  • 4
  • 40
  • 63
  • 2
    No, you don't need to call `session_unset`. It's for the PHP3-era global registration thing that nobody should be using. – Charles Jun 24 '11 at 18:31
  • @Charles I thought so as well, but I didn't wish to modify the OP's code. That said, removed. – Kevin Ji Jun 24 '11 at 18:34
  • Great answer - navigating back no longer displays variables too. – Leo Jun 19 '16 at 13:57
  • I found this approach: http://www.hackingwithphp.com/10/3/5/ending-a-session Is this the correct way of doing it? – Skadoosh Mar 23 '21 at 00:30
5

I had to also remove session cookies like this:

session_start(); 
$_SESSION = []; 

// If it's desired to kill the session, also 
// delete the session cookie. 
// Note: This will destroy the session, and 
// not just the session data! 
if (ini_get("session.use_cookies")) { 
    $params = session_get_cookie_params(); 
    setcookie(session_name(), '', time() - 42000, 
        $params["path"], $params["domain"], 
        $params["secure"], $params["httponly"] 
    ); 
} 

// Finally, destroy the session. 
session_destroy();

Source: geeksforgeeks.org

Alisso
  • 1,861
  • 1
  • 17
  • 32
  • 1
    Nice, clean & complete. Since 7.3 you could also do `setcookie(session_name(), '', session_get_cookie_params())`, if backdating the expiration isn't critical for some reason (the empty session ID should be enough, and most apps would set a new cookie soon enough anyway). Of course, if PHP provided some `unsetcookie($name[, $params])`, that would be even cleaner. (BTW, `[]` is preferred instead of `array()` nowadays. ;) ) – Sz. Jun 08 '20 at 22:33
4

Actually, it works, but you also need to do $_SESSION = array(); after the session_destroy to get rid of $_SESSION variables. However, avoid doing unset($_SESSION) because that makes sessions useless.

yitwail
  • 1,999
  • 3
  • 20
  • 27
  • Having session destroyed (with session_destroy()) will make session useless aswell. – Ivo Pereira Oct 24 '13 at 08:53
  • @IvoPereira The PHP manual states that both are necessary. session_destroy() alone will not do. – Nilpo May 31 '16 at 07:23
  • 2
    session_destroy() makes a particular session useless. unset($_SESSION) makes future sessions useless as well. From the PHP manual, `Caution Do NOT unset the whole $_SESSION with unset($_SESSION) as this will disable the registering of session variables through the $_SESSION superglobal.` – yitwail Jun 08 '16 at 07:43
1

Well, this seems a new problem for me, using a new php server. In the past never had an issue with sessions not ending.

In a test of sessions, I setup a session, ran a session count++ and closed the session. Reloaded the page and to my surprise the variable remained.

I tried the following suggestion posted by mc10

session_destroy();
$_SESSION = array(); // Clears the $_SESSION variable

However, that did not work. I did not think it could work as the session was not active after destroying it, so I reversed it.

$_SESSION = array();
session_destroy();

That worked, reloading the page starting sessios and reviewing the set variables all showed them empty/not-set.

Really not sure why session_destroy() does not work on this PHP Version 5.3.14 server.

Don't really care as long as I know how to clear the sessions.

Dave Henderson
  • 11
  • 1
1

session_destroy() is effective after the page load is complete. So in the second upload, the session is terminated. But with unset() you can also log out from within the page.

Mert S. Kaplan
  • 1,045
  • 11
  • 16
0

if you destroy the session on 127.0.0.1 it will not affect on localhost and vice versa

TechDogLover OR kiaNasirzadeh
  • 4,566
  • 27
  • 33
-1

It works , but sometimes it doesn't (check the below example)

<?php
session_start();
$_SESSION['name']="shankar";
if(isset($_SESSION['name']))
{
    echo $_SESSION['name']; // Outputs shankar
}
session_destroy();
echo $_SESSION['name']; // Still outputs shankar

Weird!! Right ?


How to overcome this ?

In the above scenario , if you replace session_destroy(); with unset($_SESSION['name']); it works as expected.

But i want to destroy all variables not just a single one !

Yeah there is a fix for this too. Just unset the $_SESSION array. [Credits Ivo Pereira]

unset($_SESSION);
Shankar Narayana Damodaran
  • 68,075
  • 43
  • 96
  • 126
  • Instead of doing the foreach to destroy every key in $_SESSION, you could just delete them all using unset($_SESSION); – Ivo Pereira Oct 24 '13 at 08:51
  • @shankar , When your page has loaded the "$_SESSION['name']" has defined as "shankar" that you defined. And next step you tried to destroy your session. So The "session_destroy();" function has removed all session from server.But the Point is "$_SESSION['name']" has already defined by "shankar". Of course, you session has destroyed. It will affect on only next page loading..Got it..? – Elavarasan Oct 24 '13 at 09:26
  • Yeah i know that [See the first answer to this question]. I am referring to the current page. – Shankar Narayana Damodaran Oct 24 '13 at 13:21
  • Shankar, look at my last comment in my answer above yours. It's the PHP manual that says you should not unset $_SESSION. Instead, you set $_SESSION = array(), and that will unset the `$_SESSION['name']` in your example. This is the manual page: http://php.net/manual/en/function.session-unset.php – yitwail Jun 08 '16 at 07:46
-3

Add session_start(); before !Doctype Declaration

    <?php session_start(); ?>
    <!doctype html>
    <html>
    <body>
<?php 
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) 
{   
    session_destroy();   
    session_unset();     
} 
?>
</body>
</html>
user3764953
  • 43
  • 9