1

I have searched many questions regarding session_destroy and the often response from the answerers involve quoting directly from the PHP manual which states the following:

session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.

In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.

In a question asking "What is the difference between session_unset() and session_destroy() in PHP?", the answerer mentions about $_SESSION variable and session storage but never go deep enough.

I think a lot of confusion arising from the function session_destroy is due to the lack of understanding regarding session data and mixing it up with $_SESSION variable. I would like to know what is the actual purpose of session data if $_SESSION variable already contains that data?

Thanks.

Community
  • 1
  • 1
Question Overflow
  • 10,925
  • 18
  • 72
  • 110
  • I did wait a while, but seems no one is answering except nickb. I can still remove my tick and tick a better answer if any comes along. Would you give it a try? – Question Overflow Nov 03 '11 at 04:45
  • I don't have a better answer of nickb's answer. Someone could avoiding to read your question because it's already answered. – Luc M Nov 03 '11 at 04:50
  • Perhaps, I would wait longer if anyone feels that my question is constructive to begin with... – Question Overflow Nov 03 '11 at 04:53

1 Answers1

3

Simplified answer:

The purpose for $_SESSION is to store data that you (as the web application developer) would like to have preserved across page loads. Thus, you can set flags in your login script such as logged_in to check if the user is logged in, and on any other page check $_SESSION['logged_in'] == true, instead of querying for that information.

Your OP seems to assume that data is automagically present in $_SESSION. You as the developer determine what is placed in $_SESSION, it is not done for you.

Hope this helps.

Edit: I see. The data in the file stored at session.save_path is where PHP saves the information you store into the $_SESSION array. This is how PHP can reload the $_SESSION data across page loads. So, when a script begins execution and calls session_start, PHP fetches the appropriate data from the file at session.save_path and loads it into $_SESSION.

At the start of a page's execution, the data in session.save_path and $_SESSION are identical. However, the script may add or remove data from $_SESSION, which will eventually cause the file at session.save_path to be updated so that it reflects the changes made to $_SESSION.

nickb
  • 59,313
  • 13
  • 108
  • 143
  • No, I am asking what is the difference between session data which is located in a file in `session.save_path` and the global `$_SESSION` variable. – Question Overflow Nov 03 '11 at 04:16
  • Oh, I see now. I've updated my answer with what I can remember about sessions. Hope that helps. – nickb Nov 03 '11 at 04:23
  • If I destroy the session data, why wouldn't `$_SESSION` unset itself? – Question Overflow Nov 03 '11 at 04:30
  • I'm not 100% sure on this, but: When you destroy the session data, you're telling PHP to get rid of the data in `session.save_path`. But, since `$_SESSION` is a variable and already loaded on the page, it still contains the (now incorrect) session data. By unsetting it, the rest of the script's execution will see that `$_SESSION` is empty. – nickb Nov 03 '11 at 04:35
  • You mention that "PHP fetches the appropriate data from the file at session.save_path and loads it into `$_SESSION.`". So, wouldn't the `$_SESSION` variable be cleared upon reload? – Question Overflow Nov 03 '11 at 04:38
  • 1
    It would, but when you destroy the session, the script needs to end. If the script doesn't end right after you destroy the session, somewhere down the line you might try to use `$_SESSION`, when it in reality contains invalid data. – nickb Nov 03 '11 at 04:45
  • I see.. This is a valuable comment. One up for you. – Question Overflow Nov 03 '11 at 04:49