5

What does session_destroy() function do? To delete all session variables in global array $_SESSION I have to use session_unset(). To remove session from the client browser (delete session id and name) I have to unset cookies:

unset($_COOKIES[session_id()]); unset($_COOKIES[session_name()]);

Why session_destroy() function is needed?

Improve this question
3
  • us.php.net/manual/en/function.session-destroy.php Commented Mar 2, 2012 at 18:51
  • 1
    Thank you very much, I've read that several times but can't understand what it does. Why it doesn't really destroys session. To destroy session I have to use two more steps. But in fact session_destroy() should do those steps for me. Commented Mar 2, 2012 at 18:56
  • 2
    If Another Code's answer has provided you with the the information you needed (I can't see how it couldn't), would you please accept it? That's usually how things are done here :p Commented Mar 4, 2012 at 10:49

1 Answer 1

Reset to default
11

session_destroy() ends the whole session, meaning it will be removed from PHP's session storage and can't ever be used again. If you'd only unset the session variables and cookies, the session would still be active server-side and could potentially be recycled if some session variables are set again and the cookie with the original session ID is sent to the client again.

To put it in another way: a session basically consists of a secret ID stored somewhere on the web server, together with session variables registered to that session. The session ID is sent to the client (usually as a cookie) so the client can be identified as 'owner' of the session on later requests. Assuming a session has already been created and has variables registered to it, here's an overview of what the functions do:

  • session_start() imports all session variables belonging to the session ID that the client sent from the session registry to the $_SESSION array
  • session_unset() or calling unset() on $_SESSION variables will clear all variables registered to the current session, but it will not clear the session itself
  • Unsetting the session cookie of the client will signal to the client that the session is over, but this will not remove the session from the session registry on the server either
  • session_destroy() is the only function that will actually purge the session from the session registry, thus literally 'destroying' the session

While session_destroy() will unregister all session variables, it won't clear the $_SESSION array in the script that's currently executing, so it's still a good idea to unset the session variables to prevent bugs and security issues.

On a related note, the PHP manual recommends not to use session_unset() but rather unset the keys from $_SESSION:

If $_SESSION (or $HTTP_SESSION_VARS for PHP 4.0.6 or less) is used, use unset() to unregister a session variable, i.e. unset($_SESSION['varname']);.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Only use session_unset() for older deprecated code that does not use $_SESSION. To free all SESSION VARIABLES use: $_SESSION = array()

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.