PHP 5.3 + How To Completely Destroy Session Variables In PHP

The Sessions Bonanza

By default sessions are stored on the disk your server, you can find out the path by echo-ing for the attribute session.save_path:
echo ini_get( “session.save_path” );
(You can change that path in php.ini)

PHP Sessions are destroyed automatically when you close your browser. But what if you want to destroy the session before without closing the browser?

The Famous session_destroy – Remove Sessions From Disk

From php.net:

session_destroy() destroys all of the data associated with the current session.
It does not unset any of the global variables associated with the session, or unset the session cookie.

What this means, is that session_destroy() will ONLY erase session data from the server’s disk! WHILE the data present
in the global $_SESSION is still present! So, session_destroy() is only the first part of the equation..

Clear Data Inside Globals – Remove session from $_SESSION

$_SESSION = array();
session_destroy();

Now you would say that the global has been cleared and we have also remove sessions from the disk, so it’s done now? NO! Not yet..
Who is the culprit now?
HINT: Your browser!

Yes, your browser still retains / saves an essential ingredient of the session in the form of a cookie – more precisely the PHPSESSID.
This is like a Replicator from stargate (joking). Well, while the PHPSESSID helps your PHP-system to recreate the session back, it will not really contain all the previous data.
But still you really need to destroy this as well..

Final – Completely Destroy Session In PHP

Now that you know all the parts where session can have traces, the final code would now be like:

//remove PHPSESSID from browser
if ( isset( $_COOKIE[session_name()] ) )
setcookie( session_name(), “”, time()-3600, “/” );
//clear session from globals
$_SESSION = array();
//clear session from disk
session_destroy();

To Summarize Destroying Sessions In PHP:

Steps:
1- Remove Session data from the server’s disk
2- Remove data from globals
3- Clear any traces of PHPSESSID from your browser’s session cookie

If You Appreciate What I Do Here On Seven PHP :: 7PHP, You Could Consider:

  1. Following me on Twitter | @7php
  2. LIKE-ing my FaceBook page
  3. Subscribe to my Email List - see top-right subscription box
  4. Help diffuse this interview to the PHP ecosystem - Share & Spread the word as far as you can ==> That would be a FREE way to thank me
  5. Use my DigitalOcean referral link if you plan to use it as your VPS (it starts at only $5/month btw) or if you can refer it to your friends, highly appreciated.
  6. Support via Paypal donate - my Paypal ID is w@7php.com

{I'm thankful to your response(s)!}

Valuable Feedback / Comment / Review From People Like You

  1. Off-topic :
    Clearly maximizing the use of your time here :-) lol

  2. Hey Yashvin! Nice to see you :)
    Yeps, indeed! 😀

  3. The session_unset() function frees all session variables currently registered.
    http://php.net/manual/en/function.session-unset.php

  4. Thank you for the tip on removing PHPSESSID from the browser. That did the trick. Gracias!

Speak Your Mind

*