All geek questions in one place

Session_destroy does not disable session_id

I am working on an online ticketing system where, after a successful reservation (after payment), I want to clear the session ID. But I cannot clear it, although I used session_destroy() to destroy the session.

NB: I repeated session_id to check if it is reset or not.

URL: http://7sisters.in/7sislabs/

 function book_final_tickets() { //var_dump($_SESSION); $session_id = session_id(); $sql = " UPDATE tbl_seat_book SET final_book = 'Y' WHERE session_id = '$session_id' "; //session_unset(); if($r = $this->db->executeQuery($sql)){ if(session_destroy()){ unset($session_id); echo 'Booking successfull'; } } }
+4
source share
5 answers

Call session_id before session_start and set session_id manually.

Example 1: the same session_id will be used

 <?php session_start(); echo session_id(); //4ef975b277b52 session_destroy(); session_start(); echo session_id(); //4ef975b277b52 ?>

Example 2: set session_id manually (before session_start() )

 <?php session_id(uniqid()); session_start(); echo session_id(); //4ef975d3d52f5 (A) session_destroy(); session_id(uniqid()); session_start(); echo session_id(); //4ef975d3b3399 (B) ?>

(A)! = (B), so you can set session_id manually, see http://php.net/manual/en/function.session-id.php for more information.

Another solution , don't use session_id (), just create a new session array:

 <?php $_SESSION['booked'] = false; if($r = $this->db->executeQuery($sql)) { $_SESSION['booked'] = true; echo 'Booking successfull'; } ?>
+2
source

session_destroy() will not delete the cookie on the client side by itself, so the next time they visit the user, they will still have the same session identifier (but their session information on the server side will be destroyed).

From the documents (my selection):

session_destroy () destroys all data associated with the current session. It does not cancel any global variables associated with the session or disable the session cookie .... In order to kill the session altogether, as well as for user login, the session identifier must also not be set . If a cookie is used to propagate a session identifier (default behavior), then the session cookie must be deleted.

You can use session_regenerate_id(true) to create a new session id and delete the old one. Note that this will contain all the information in $_SESSION as part of the new session identifier, so you still need to use session_destroy if you want to clear the session information and start a new one.

eg.

 <?php session_start(); $_SESSION['blah'] = true; var_dump(session_id()); // q4ufhl29bg63jbhr8nsjp665b1 var_dump($_SESSION); // blah = true session_unset(); session_destroy(); setcookie("PHPSESSID", "", 1); // See note below session_start(); session_regenerate_id(true); var_dump(session_id()); // gigtleqddo84l8cm15qe4il3q3 var_dump($_SESSION); // (empty) ?>

and the headers will show the change in the session identifier on the client side:

Request header
Cookie: PHPSESSID = q4ufhl29bg63jbhr8nsjp665b1

Answer Header
Set-Cookie: PHPSESSID = deleted; expires = Mon, Dec 27, 2010 4:47:57 p.m. GMT
PHPSESSID = gigtleqddo84l8cm15qe4il3q3; Path = /

(You can do without calling setcookie() here since you are still creating a new session, so the cookie will be overwritten with the new identifier, but it is good practice to explicitly destroy the old cookie).

+10
source

Try the following:

 unset($session_id); session_destroy();
0
source

Instead

session_destroy();

I would rather do only

session_regenerate_id(true);

and you will get a new session_id

0
source

After destroying the session with session_destroy (), this worked for me:

SetCookie ('PHPSESSID', "", time () - 3600, '/');

The key for me was setting the path to '/'. This was the only way to really destroy cookies.

0
source

Source: https://habr.com/ru/post/1388091/

More articles:


All Articles