19

I have heard mixed responses on this topic, so what is a sure fire way to destroy a PHP session? 

session_start();
if(isset($_SESSION['foo'])) {
   unset($_SESSION['foo'];
   ...
}
session_destroy();

In the most simple of cases, would this sufficient to truly terminate the session between the user and the server?

trante
  • 33,518
  • 47
  • 192
  • 272
niczak
  • 3,897
  • 11
  • 45
  • 65
  • Have a look at: http://stackoverflow.com/questions/10648565/destroying-php-session/10662060#10662060 – Brett May 20 '12 at 06:38

4 Answers4

45

To destroy a session you should take the following steps:

  • delete the session data
  • invalidate the session ID

To do this, I’d use this:

session_start();
// resets the session data for the rest of the runtime
$_SESSION = array();
// sends as Set-Cookie to invalidate the session cookie
if (isset($_COOKIE[session_name()])) { 
    $params = session_get_cookie_params();
    setcookie(session_name(), '', 1, $params['path'], $params['domain'], $params['secure'], isset($params['httponly']));
}
session_destroy();

And to be sure that the session ID is invalid, you should only allow session IDs that were being initiated by your script. So set a flag and check if it is set:

session_start();
if (!isset($_SESSION['CREATED'])) {
    // invalidate old session data and ID
    session_regenerate_id(true);
    $_SESSION['CREATED'] = time();
}

Additionally, you can use this timestamp to swap the session ID periodically to reduce its lifetime:

if (time() - $_SESSION['CREATED'] > ini_get('session.gc_maxlifetime')) {
    session_regenerate_id(true);
    $_SESSION['CREATED'] = time();
}
ShawnDaGeek
  • 4,145
  • 1
  • 22
  • 39
Gumbo
  • 643,351
  • 109
  • 780
  • 844
  • 2
    I know this is old, but you just answered like 3 questions in one answer for me. Thank you! – jefffan24 Mar 06 '11 at 00:08
  • In your first example on line 5, instead of `$_COOKIES` it should be `$_COOKIE`, otherwise you might wonder why it's never destroying the session cookie since `isset($_COOKIES[session_name()])` would never evaluate to true. – Kid Diamond Aug 28 '14 at 20:00
  • @Gumbo following your advices, finally I was able to remove the session cookie... Anyway, is there some recent way to do it? –  Oct 09 '14 at 11:07
1

The PHP Manual addresses this question.

You need to kill the session and also remove the session cookie (if you are using cookies).

See this page (especially the first example):

http://us2.php.net/manual/en/function.session-destroy.php

Eli
  • 97,462
  • 20
  • 76
  • 81
0

In the one site I've made where I did use PHP sessions, I never actually destroy the session.

The problem is that you pretty much have to call session_start() to check for your $_SESSION variables, at which point, lo and behold, you've created another session anyway.

Hence on my site I just made sure that every page called session_start(), and then just unset() those parts of the session state that matter when the user logs off.

Alnitak
  • 334,560
  • 70
  • 407
  • 495
  • Thanks for input Alnitak, this is what I suspected with calling session_start() on every page. I'll just continue to unset the variables as they are used. – niczak Feb 03 '09 at 21:46
-1
$_SESSION = [];
@unset($_COOKIE[session_name()]);
session_destroy();
zloctb
  • 10,592
  • 8
  • 70
  • 89