PHP: What Does session_destroy Do?

PHP or Hypertext Preprocessor is an open source scripting language. It is one of the most widely used scripting languages for general purpose. It is also usually incorporated with HTML and is used for web development. In PHP, there’s this term called “session_destroy”. In this article, we will discuss session_destroy and what it does in PHP.

What is session_destroy?

The term “session_destroy” refers to the function of destroying all data that comes with the current session. In addition, it does not unset the global variables that come with the session or even the session cookie. Nevertheless, it must be noted that there’s no need to call session_destroy from the usual code. Instead of destroying the session data, you can clean up $_SESSION array.

Is it possible to use the session variables again?

Yes, it is. If you have used session_destroy but want to use your session variables again, you can bring the variables back by calling session_start.

Is it possible to kill the session altogether?

Yes, it’s possible. In order for you to kill the session altogether, you should unset the session ID. However, if you use a cookie to propagate the session ID, which is the default behavior, then you must delete the session cookie. To do this, you can use setcookie().

In the event when you enable the session.use_strict_mode, you don’t need to remove the obsolete session ID cookie. That’s because the session module won’t accept the session ID cookie if there’s no data that comes with the session ID and the new session ID cookie. Regardless of the site you use, it’s recommendable to enable session.use_strict_mode.

important things to note

It’s important for you to note that an immediate session deletion can potentially cause unwanted results. In the event when there are concurrent requests, there may be a possibility to see sudden loss of session data.

While the current session module doesn’t accept an empty session ID cookie, an immediate session deletion can possibly result in an empty session ID cookie because of client side race condition.

To avoid these instances, you should set the deletion time-stamp to $_SESSION as well as reject access while later. You should also ensure that the application doesn’t have any concurrent request.

Leave a Reply

Your email address will not be published. Required fields are marked *