Why session_unset() doesn't have any effect after session_destroy()?

Question

By reading up on session_unset() and session_destroy() I've found notes that destroy does not clean up variables and such.

How come the code below does not clean up the $_SESSION superglobal, which it should by its documentation?
Is this behavior documented anywhere?

Snippet to reproduce:

#!/usr/bin/php
<?php

session_start();

$_SESSION['x'] = 1;

// If you uncomment this, `session_unset` works as intended.
session_destroy();

// It doesn't matter if you call unset, it won't have any effect
// as session_destroy was called.
session_unset();

fwrite(STDERR, var_export($_SESSION, true));
// prints: array ('x' => 1), even though session_unset was called

@JaiDixit I saw that before posting. it doesn't explain me my issue. — p1100i, Jun 06 '18 at 10:53

score 0 · Answer 1 · answered Jun 06 '18 at 11:29

0

because session_destroy() will remove all sessions related with that user. here document

answered Jun 06 '18 at 11:29

TEFO

1,432
9
23

score 0 · Answer 2 · answered Jun 06 '18 at 11:32

I think this behavior is about the implementation of default session driver. (See here).

When session_destroy is called, PHP trigs destroy method of session class handler. perhaps it destroy only data without to touch $_SESSION and when session_unset is called, it verifies on each $_SESSION items, if key of item is persisted, it delete it, if not, it does nothing.

Finaly, when you call session_destroy first, all data is destroyed, so session_unset can't do anything while $_SESSION[$key] isn't persisted.

<?php
foreach($_SESSION as $key=>$value)
{
   global $data_persisted; //fictive variable containing persisted datas as array
   if(isset($data_persisted[$key])
   {
      unset($_SESSION[$key]);
   }
}

Finaly, after call respective of session_destroy and session_unset, $_SESSION still will have its datas.

Why session_unset() doesn't have any effect after session_destroy()?

2 Answers2