PHP session_destroy y alcance de la sesión?

OK there are many "simple session" questions out there, but I can't seem to find what I'm after. It bugs me a little bit as the PHP document does not seem to explain this well.

Three fold questions.

  1. It says that session_destroy() wipes out the session data but not the global variable. So it wipes the data but the variables are still in tact? What does the documentation mean by global variables?

  2. What are the different types of ways that I can use to destroy session data, isn't session_destroy enough? Why would you use the below coding as I've seen in some code examples:

    $_SESSION = array();
  3. Session seem to persist across browser instances. For example, IE9 will keep the same session id when two separate browsers are opened. Same with Chrome. Only when I close all the browsers, will I get a new session id. Is this always the case for all browsers? I want to know so that I can keep this in mind during my coding - wouldn't want to find out later that some browsers are not persistent and my code thinks that it does, then run the risk of producing all sorts of errors.

Thanks in advance for anyone who can help me answer these questions.

preguntado el 31 de julio de 12 a las 13:07

2 Respuestas

  1. $_SESSION is the super global variable
  2. Los programas session_destroy function is basicly enough. It deletes the session_file on the server where all session-variables are stored and removes the session-cookie. The variables are after the session_destroy call still in the memory, but changing these values has no effect (except you call session_start() otra vez).

    But the code snippet removes the variables from the memory too. This is important if for example the application checks for $_SESSION['admin'] later in the same request to see if the user has admin rights.

    Los programas session_start() function is needed because you need to load the session first to delete it.

  3. Sessions are not persistant across diffrent browsers, however they are persistant across all windows/tabs of the same browser. What happens if you close the browser really depends on your PHP-ini setting. session.cookie_lifetime defines how long (in seconds) the browser should keep the cookie (even after restart). If session.cookie_lifetime is set to 0 the browser deletes the session cookie when closing.

    session.gc_maxlifetime defines how long the webserver keeps the session file (without the session file the session-cookie is invalid)

Respondido 31 Jul 12, 14:07

regarding question2: can you clarify "basically enough"? If by enough you mean the data is cleared from memory, I don't see the need to duplicate this action with another line of code. However, if you're saying that it does not clear from memory, then it makes sense to empty it first. regarding question 3: When I close all my browsers, I get a new session id. So by reasons of deduction, when all browsers are closed, I lose whatever cookie that PHP uses - therefore it is no longer persistent? Thanks. - cazador

@Morgria I'm still unsure about question 2. I did more testing and it appears that session_destroy does not clear the data immediately. I was able to still access the session data after the session_destroy. However, as soon as I refreshed the page, the session data was destroyed. I noted that after the session_destroy, the session_id was unset, but the session data was still accessible. So I can only conclude that for immediate destruction of data, unset it during run-time. Whereas, if your script is at the end, then session_destroy will do. Correct me if I'm wrong. Thanks. - cazador

Ok, more testing and I figured out exactly what's happening behind the scene. session_start() creates a new file on the server. session_destroy() deletes this file from the server. Between session_start() and session_destroy(), any session variable prescribed using the global variable $_SESSION is written to the file. The $_SESSION variable lives for the lifetime of the script. The only way to kill it before the script end is by unsetting it. session_destroy() does not do this for you. Note that cookies are not destroyed either, thanks. session_destroy() is enough if used at the end. - cazador

What does the documentation mean by global variables?

It's talking about the $_SESSION variable superglobal.

What are the different types of ways that I can use to destroy session data, isn't session_destroy enough? Why would you use the below coding as I've seen in some code examples:

You use that to get rid of the contents of $_SESSION so the rest of the script doesn't use now-expired data. At some point in your script, you've decided that you're clearing a user's session, so you don't want any other logic to use that session day. By setting $_SESSION to an empty array, all of its prior contents are wiped.

Is this always the case for all browsers?

Yes, the session is associated with a particular user based on a cookie (typically), and will be sent to your site every time a user access the site (if they have the cookie), regardless of how many tabs are open or whether or not they are even using tabbed browsing.

Respondido 31 Jul 12, 13:07

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.