0

I have this code in a default index page:

<?php 
$_SESSION['user'] = 'Bill';
print $_SESSION['user'];

$_SESSION = array();
session_destroy();

$_SESSION['user'] = 'Andy';
print $_SESSION['user'];
?>

The output is the following:

Bill
Warning: session_destroy(): Trying to destroy uninitialized session in C:\xampp\htdocs\DSP\index.php on line 15
Andy

Obviously I have to initialize the session with session_start() but these are my questions:

1) However, why can I store a session without session_start() function?

2) Now I put session_start() function on the top of the code:

<?php 
session_start();

$_SESSION['user'] = 'Bill';
print $_SESSION['user'];

$_SESSION = array();
session_destroy();

$_SESSION['user'] = 'Andy';
print $_SESSION['user'];
?>

Now the output is the following:

Bill
Andy

My question now is:

3) Why Andy is printed on the output? Why compiler NOT gives me error that session must be started again beacuse I destroyed it before with the command session_destroy()?

Thanks everyone very much!

tereško
  • 58,060
  • 25
  • 98
  • 150
Andrea Limoli
  • 155
  • 1
  • 3
  • 12
  • Can you prepare food without fire or any source of energy? No you can't since without that you can't prepare the food. Similarly if you dont start session_start(); your code will not know anything about the session. – Abhik Chakraborty Feb 08 '14 at 11:32
  • I know it but my question is why the sessions in this example are set even if the session_start doesn't exists. – Andrea Limoli Feb 08 '14 at 11:34

2 Answers2

0

You should unset the session before trying to destroy it.

session_unset();
session_destroy();

http://www.php.net/manual/en/function.session-unset.php

Mutale
  • 310
  • 1
  • 8
  • session_unset() is deprecated, now it uses $_SESSION = array(); – Andrea Limoli Feb 08 '14 at 11:29
  • to remove certain item from array you should use `unset ($_SESSION['varname']);` . Btw, I can't see documentation for this function deprecation, the `session_unregister()` was deprecated for as far as I know. – Mutale Feb 08 '14 at 11:33
  • In Php manual I read this:Caution: Do NOT unset the whole $_SESSION with unset($_SESSION) as this will disable the registering of session variables through the $_SESSION superglobal. – Andrea Limoli Feb 08 '14 at 11:36
  • Right, it is not recommended, and you should unset the specific variable you want to unset using `unset ($_SESSION['varname']);` – Mutale Feb 08 '14 at 11:38
  • No, I formulate better the question. I would know how I can destroy really the session. When the session is destroyed and after I use again the session (e.g. I would store new key-value) the compiler must say me that the session doesn't exist and isn't initialized? – Andrea Limoli Feb 08 '14 at 11:49
0

However, why can I store a session without session_start() function?

Because it's just a usual array and can be accessed as such. It is same with $_POST, $_GET and other super-global arrays. However, the session is only created after you call session_start(), so trying to store information in the array before initializing the session is pointless.

I don't see anything unusual in your code and the output produced. To illustrate, see the following code:

<?php 
session_start();

$_SESSION['user'] = 'Bill';    
var_dump($_SESSION);

$_SESSION = array();
session_destroy();    
var_dump($_SESSION);

$_SESSION['user'] = 'Andy';
var_dump($_SESSION);

The output is:

array(1) {
  ["user"]=>
  string(4) "Bill"
}

array(0) {
}

array(1) {
  ["user"]=>
  string(4) "Andy"
}

This is what happens above:

  • Session is initialized using session_start()
  • A string Bill with the key user is added to the associative array
  • session_destroy() destroys the session data that is stored in the session storage. ($_SESSION is now empty)
  • Another string Andy with the key user is added to the associative array

As you'd expect, the output would be Andy. I don't see the issue?

Amal Murali
  • 75,622
  • 18
  • 128
  • 150
  • Ah ok, thank you very much Amala :) But last questions, how can I really destroy session? Is it correct as I wrote? – Andrea Limoli Feb 08 '14 at 11:41
  • @user3124885: Yep, it is. [This example from PHP manual](http://www.php.net/manual/en/function.session-destroy.php#example-4778) is *more* correct. (See also: [Best way to completely destroy a session](http://stackoverflow.com/questions/3948230/best-way-to-completely-destroy-a-session-even-if-the-browser-is-not-closed)) – Amal Murali Feb 08 '14 at 11:46
  • @user3124885: Glad I could help. Since you're new to the site, I suggest you [take the 2-minute tour](http://stackoverflow.com/about) of the site and read [this](http://stackoverflow.com/help/privileges/vote-up) and [this](http://stackoverflow.com/help/accepted-answer). Cheers! – Amal Murali Feb 08 '14 at 12:11