1
?php session_start();
if(isset($_SESSION["user_name"]))
if($_GET["destroy"]=="yes")
{
session_destroy();
unset($_SESSION["user_name"]);

}

if(!isset($_SESSION["user_name"]) &&
$_GET["user"]!="")
$_SESSION["user_name"] = $_GET["user"];

?>

i was wondering, why would we need both unset and session_destroy()? i tested by removed either one of them,and the result was still the same. the user still logged out. please someone explain to me, thank so much.

Trinimon
  • 13,839
  • 9
  • 44
  • 60
Ham Dlink
  • 79
  • 1
  • 3
  • 9
  • Who says that you would need both in the first place? Please provide some reference otherwise it is not clear what you are actually concerned about. – hakre Aug 30 '13 at 16:47
  • Are session_unset() and unset($_SESSION['user']) the same? – Ham Dlink Aug 30 '13 at 16:47
  • here the link from http://php.net/manual/en/function.session-destroy.php it says, In order to kill the session altogether, like to log the user out, the session id must also be unset. – Ham Dlink Aug 30 '13 at 16:50
  • in this case, session ID is user_name? – Ham Dlink Aug 30 '13 at 16:54
  • 1
    @HamDlink: No, the session id is not a session variable, the session id ís a property of the actual session. session has: 1.) a name http://php.net/session_name, 2.) an id http://php.net/session_id and 3.) all the session variables http://php.net/$_SESSION. – hakre Aug 30 '13 at 16:55

2 Answers2

0

unset() deletes a variable not a session.

session_destory() destroys the session.

session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie.

However, I would suggest that you do a:

$_SESSION = array();

... instead of unset();

Trinimon
  • 13,839
  • 9
  • 44
  • 60
Daniel
  • 2,002
  • 5
  • 20
  • 32
  • Why would you suggest that? – hakre Aug 30 '13 at 16:51
  • its better. it deletes all values in the session array. instead of deleting them all one by one. – Daniel Aug 30 '13 at 17:03
  • well, the OP only used unset in error. there was no reason to use it in the first place, therefore there is no reason to do what you suggest as well. – hakre Aug 30 '13 at 17:07
0

session_unset() delete only a variables from session - session still exist-Only data are truncated.But session_unset() is an outdated PHP function. We can set the session to an empty array instead.

$_SESSION = array();

session_destroy() will delete whole session. It's not always necessary to do both.But it is advisable to do both just to ensure extra security.

Srikanth Muttavarapu
  • 756
  • 1
  • 10
  • 13
  • session_unset() is an outdated PHP function. it was originally used together with session_register() which you do not use any longer (or if you use it, it's your fault), – hakre Aug 30 '13 at 16:51
  • @shrikanth, your answer does make sense because either one will log user out, but for extra security, that why we use both. – Ham Dlink Aug 30 '13 at 17:06
  • 1
    You have a wrong understanding of security here. `session_unset()` was designed for global variables registered as session variables back in PHP 4. As the manual page says, there is no need to use it any longer when you use `$_SESSION`. Also there is no security implication with having data in `$_SESSION` *after* `session_destroy()`, the anser gives no reasoning as well why this actually is *adviseable*. It's only some sentences typed in with no further meaning. – hakre Aug 30 '13 at 17:10
  • And don't accept this as an answer, you only did misunderstood what the session id is in your question as we found out. no need to accept a wrong answer. Don't turn a little mistake into another mistake for no reason. – hakre Aug 30 '13 at 17:15
  • @hakre yes you are right session_unset() is outdated,we can set the **session** equal to an **empty array** instead.But he mentioned session_unset() in the question so I just explained what it does. – Srikanth Muttavarapu Aug 30 '13 at 17:16
  • I mean using both, we just get rid of the session data in every possible way – Srikanth Muttavarapu Aug 30 '13 at 17:18
  • @Shrikanth: session_unset is ***not*** mentioned in the question. And introducing superfluous code is the opposite of every *possible* way. As criticized, you give no reason. – hakre Aug 30 '13 at 17:19
  • what i understand is unset($_SESSION["user_name"]) mean delete variable user name. and session_destroy() mean delete all session. so if i use only session_destroy(), the variable user_name is still there. but if i use on unset($_SESSION["user_name"]), the session still there. – Ham Dlink Aug 30 '13 at 17:23
  • @HamDlink: yes, exactly. After you've destroyed the session, there is no reason to further manipulate `$_SESSION`. – hakre Aug 30 '13 at 17:24
  • @Shrikanth: You miss to share what the *extra* in *extra security* actually is. Please write that as well in your answer while you edit it (and the other linked question in the comments under the question is equally outdated, no need to copy over wrong information from there even it got some upvotes). – hakre Aug 30 '13 at 17:25
  • @hakre, if we use both, it will kill the session and the variable. by killing both, mean extra security. – Ham Dlink Aug 30 '13 at 17:26
  • @Ham Dlink: You do not need to use both (which was what you *somehow* asked in your question). So don't get fooled thinking writing more code would actually do better or more. The opposite is the case. Writing less code is doing better. – hakre Aug 30 '13 at 17:27
  • @hakre, i didn't understand why we need both, but after Shrikanth said about extra security, it does make sense to me. if you destroy only session, the variable is still there. – Ham Dlink Aug 30 '13 at 17:29
  • @HamDlink By extra security I mean we use both to ensure the session data is destroyed(In case If one fails).If I was wrong please correct it, because I am also a beginner and I just shared what I learned from others – Srikanth Muttavarapu Aug 30 '13 at 17:34
  • @Shrikanth: ah that kind of extra securty. well then I actually suggest you to call session_destroy three times in a row so that you know - just for safety - it could have failed two times. :P – hakre Aug 30 '13 at 17:36
  • @shrikanth,@hakre, To me extra security means destroy both sesssion and variable. – Ham Dlink Aug 30 '13 at 17:38
  • @HamDlink: Only Shrikanth wrote about extra secury, it must not mean that this did actually something good. – hakre Aug 30 '13 at 17:39
  • @Ham Dlin: Which kind of *extra security* is added when you "destroy" the variable if I may ask you? – hakre Aug 30 '13 at 17:39
  • @HamDlink,@harke I learnt php from video tutorial series by Kevin Skoglund. He explained it is a good practice to get rid of session data using both ways together.It destroys both session and variable. – Srikanth Muttavarapu Aug 30 '13 at 17:45
  • sorry,i can't answer your question. but i know when i do a log out, i will want to destroy both variable and session. like you said one will be fine. it is just my personal preference to make sure no variable float around after i logged out. – Ham Dlink Aug 30 '13 at 17:51
  • @shrikanth, i think, you are right. – Ham Dlink Aug 30 '13 at 17:57
  • @Ham Dlink: You know that in PHP after you script finished no variables float around any longer? And that what is in `$_SESSION` after `session_destroy()` has no meaning at all? Even if you `session_start()` again it would be reset? If those variables still float around and have side effects in your script, then you actually are fixing at the very wrong place. – hakre Aug 30 '13 at 19:59