0

How to unset the session in PHP Using Javascript?

OM The Eternity
  • 15,694
  • 44
  • 120
  • 182

2 Answers2

4

Kill the Session Cookie.

Community
  • 1
  • 1
Gordon
  • 312,688
  • 75
  • 539
  • 559
  • If you don't know how to use cookies in PHP you should not be anywhere near sessions. – Matt Mitchell Jun 17 '10 at 09:29
  • ...this is the "dirty way" while BoltClock has the "clean way". Which one will you choose? ;-) – Palantir Jun 17 '10 at 09:29
  • @Palantir Granted, it does not *immediately* unset the session on the server, but if the server cannot identify the session from the request anymore, the session will time out sooner or later. – Gordon Jun 17 '10 at 09:57
  • @Gordon: I used the word "dirty" to imply a hack. If you create a session with session_start, you are supposed to kill it with a timeout, or a session_destroy, to be future-proof (in case something changes in the future versions of PHP, for example if they start using flash cookies instead of normal ones). You are overriding PHP's mechanism, so this is the reason I believe this is a hack. This said, killing the cookie will work for sure, unless he is passing PHP using SIDs on query strings, but who is doing that anyway? is PHP still falling back to it, if cookies are disabled? – Palantir Jun 17 '10 at 11:51
  • @Palantir I wouldn't call it a hack. When the `session.cookie_lifetime` expires regularly it is not informing the server about that either. It's just gone, while the storage on the server is still there until it gets gc'd. just like `session_destroy()` would remove the session data but not unset the cookie. It just depends on what you wanna do: delete the session data or delete the link to it (or both). – Gordon Jun 17 '10 at 12:33
2

You can't do it directly using JavaScript as the session is handled solely by the server; you'll need to do an Ajax call to a PHP script that unsets the session.

BoltClock
  • 700,868
  • 160
  • 1,392
  • 1,356
  • If the cookies aren't HTTP only you could modify them with javascript right? If so, that would kill the session. – Matt Mitchell Jun 17 '10 at 09:28
  • @Graphain: Good point. You'd still to send something to the server to let it know the cookie is gone though. – BoltClock Jun 17 '10 at 09:54
  • 1
    technically, the server does not need to know the cookie is gone. If the session storage is not touched, it will be garbage collected after session.gc_maxlifetime seconds – Gordon Jun 17 '10 at 10:04