4

Some people say use unset($_SESSION["..."]) and some say session_unset() and some say $_SESSION = array() and some say session_destroy() and I am saying "for God's sake, this stuff is getting confusing, can someone please explain me which is the correct/secure way to log the user out" and what is used for what?

Appreciated...

user229044
  • 232,980
  • 40
  • 330
  • 338
Tarik
  • 79,711
  • 83
  • 236
  • 349

6 Answers6

4
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();

// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
    $params["path"], $params["domain"],
    $params["secure"], $params["httponly"]
    );
}

// Finally, destroy the session.
session_destroy();
?>

RTM

daiscog
  • 11,441
  • 6
  • 50
  • 62
  • But why are we unset all the $_SESSION instead of just using `session_destroy()`. `session_destroy()` doesn't remove all the variables and data? – Tarik Oct 12 '11 at 20:32
  • 1
    When we call `session_start()` the `$_SESSION` array gets loaded into RAM from the session file on the server - this is where the session variables are saved between requests. `session_destroy()` will delete the session file. It does _not_ clear the `$_SESSION` array. – daiscog Oct 12 '11 at 20:38
1

Here is the difference between the entities

you can remove a single variable in the session 

 unset($_SESSION['shape']);

this would remove all the variables in the session, but not the session itself 

 session_unset();

this would destroy the session variables 

 session_destroy();
Wazy
  • 8,822
  • 10
  • 53
  • 98
1

First of all, session_destroy() is not the same as the other methods. This one will destroy the current session data on the server, but will not unset any of the variables. It's simply the counterpart to session_start().

session_unset() is the deprecated equivalent to doing $_SESSION = array(). The latter and unset($_SESSION["..."]) are different only in the fact that the unset() route will only unset a single session variable, the one named in [...]. Never do unset($_SESSION), as that will interfere with the session mechanism itself.

Old question reference.

Community
  • 1
  • 1
Naltharial
  • 2,132
  • 14
  • 21
0

The only ones saying session_unset() are the ones stuck on obsolete versions of PHP - the function's been deprecated for a LONG time now.

The exact answer to this question depends on exactly what your code uses to determine if someone is "logged in" v.s. someone who is "logged out".

If you have a single $_SESSION['logged_in'] = true that your code looks for, then why unset it? Just set it to false and boom... user is logged out.

Marc B
  • 356,200
  • 43
  • 426
  • 500
  • I see no reference to `session_unset()` being deprecated in [the manual](http://uk3.php.net/manual/en/function.session-unset.php) - can you cite a reference to this please? – daiscog Oct 12 '11 at 20:03
  • session_unset is the reverse of session_register which IS deprecated. all session varaible operations should be done directly on $_SESSION now, treating it as a regular array. – Marc B Oct 12 '11 at 20:15
  • Thanks for that info. TBH, I've never used `session_unset()` and have always cleared session vars using `$_SESSION = array()` as the manual says we should :-) - still, I see `session_unregister()` _is_ marked as deprecated in the manual, but no such notice for `session_unset()`. – daiscog Oct 12 '11 at 20:27
0

session_destroy — Destroys all data registered to a session
session_unset — Free all session variables

http://www.php.net/manual/en/book.session.php

The most I've seen used is to call them in this order.

session_unset();
session_destroy();
$_SESSION = array();
Michael D. Irizarry
  • 6,186
  • 5
  • 30
  • 35
0

if you use session_destroy() then the cookie in the browser is also cleard (and probbley a new session gets created later)

personaly i use an object(s) to track different things (like public loggedIn = False; and a function witch actally logs the user in)

session_unset() is handy if you want to keep the coockie, but you will end up with more empty sessions in the server

borrel
  • 911
  • 9
  • 17
  • `session_destroy()` does nothing to the cookie - it deletes the stored session data on the server (i.e., the temporary file used to store the session vars). It is used to keep things clean server-side, without relying too heavily on the garbage collector. To delete the cookie, you need to set its value to an empty string and its expiry time to a time in the past. – daiscog Oct 12 '11 at 20:11