PHP - Destroying a Session

Introduction

By default PHP sessions are automatically deleted when users quit their browser, because the PHPSESSID cookie's expires field is set to zero.

To destroy a session immediately, you can simply call the built-in session_destroy() function:

session_destroy();

This merely erases the session data from the disk.

The data is still in the $_SESSION array until the current execution of the script ends.

So to make sure that all session data has been erased, you should also initialize the $_SESSION array:

$_SESSION = array();
session_destroy();

Now, a trace of the session remains in the form of the PHPSESSID cookie in the user's browser.

When the user next visits your site, PHP will pick up the PHPSESSID cookie and re-create the session though the session won't contain any data when it's re-created.

To really make sure that you have wiped the session from both the server and the browser, you should destroy the session cookie:

if (isset($_COOKIE[session_name()])) {
  setcookie(session_name()," " , time()-3600," /" );
}

$_SESSION = array();
session_destroy();

Related Topic