Session unset, or session_destroy?

Question

Possible Duplicate:
What is the difference between session_unset() and session_destroy() in PHP?

What is the best for security, and if the session is unset are load times better the next time the session has to accessed rather than recreated?

There is session destroy and unset, what are the differences? — Basic, Apr 18 '11 at 01:58
I don't think this is a duplicate. From the accepted answer, I think the user means `unset()` other than `session_unset()`. — Spencer Wieczorek, Apr 17 '15 at 19:41

Mike Lewis · Accepted Answer · 2011-04-18T02:13:11.037

59

Unset will destroy a particular session variable whereas session_destroy() will destroy all the session data for that user.

It really depends on your application as to which one you should use. Just keep the above in mind.

unset($_SESSION['name']); // will delete just the name data

session_destroy(); // will delete ALL data associated with that user.

edited Apr 18 '11 at 02:13

answered Apr 18 '11 at 01:57

Mike Lewis

63,433
20
141
111

3

Thanks that cleared it up, session destroy seems safer :) – Basic Apr 18 '11 at 02:00
2

If your goal is to destroy all session data for that user, yes. – Mike Lewis Apr 18 '11 at 02:02
Yes, it would be safer that way, as in the logout link. – Basic Apr 18 '11 at 02:03
20

I think OP was asking about session_unset vs session_destroy differences. unset ans session_unset are different functions. – Stann May 25 '11 at 20:53
6

For readers: Do NOT unset the whole $_SESSION with unset($_SESSION) as this will disable the registering of session variables through the $_SESSION superglobal. – metalfight - user868766 Jun 27 '12 at 06:36
This answer is confusing . "session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called. " - php.net/manual/en/function.session-destroy.php – Istiaque Ahmed Oct 17 '17 at 07:17

Marcel · Answer 2 · 2019-02-10T12:06:32.173

9

Something to be aware of, the $_SESSION variables are still set in the same page after calling session_destroy() where as this is not the case when using unset($_SESSION) or $_SESSION = array(). Also, unset($_SESSION) blows away the $_SESSION superglobal so only do this when you're destroying a session.

With all that said, it's best to do like the PHP docs has it in the first example for session_destroy().

edited Feb 10 '19 at 12:06

answered Apr 18 '11 at 02:37

Marcel

27,922
9
70
85

1

Any idea why the $_SESSION variables are still set after calling session_destroy() ? – wkm Jul 23 '12 at 20:36
3

@wkm, "`session_destroy()` destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, `session_start()` has to be called. " - http://php.net/manual/en/function.session-destroy.php – Istiaque Ahmed Oct 17 '17 at 07:14
@IstiaqueAhmed "Data" seems ambiguous. The session variables contain "data." I suppose `session_destroy()` destroys the contents of the session file for that session, or destroys the entire file. In my case, it deletes the row in my database for that session id. So, as I understand it, the `$_SESSION` variable is populated by values from those "data" sources at the beginning of the request. Then `$_SESSION` may be modified during execution. Finally, when the request is finished, PHP will "write" to the "data" (file/db) and empty the `$_SESSION` variable. Is that about right? – Buttle Butkus Jan 14 '19 at 23:00

Session unset, or session_destroy?

2 Answers2

Linked