SitePoint Sponsor

User Tag List

Results 1 to 25 of 25
  1. #1
    SitePoint Addict
    Join Date
    Aug 2007
    Posts
    328
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    session_unset() or session_destroy() ?

    I'm researching sessions and how to create and end them.
    I've come to the part where someone would want to log out and not have someone else on the same computer be able to instantly continue their session.

    Which should I use, unset or destroy?

    They both seem to do a similar job so I don't know which is more appropriate.

    And what would I want to store as a variable apart from the username?

    I'll be attempting to integrate the session handling with a mysql database (Haven't got that far in the book yet though )

  2. #2
    SitePoint Zealot
    Join Date
    May 2009
    Location
    usa
    Posts
    113
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    use session destroy if you wish to destroy the complete session, incase you just wish to remove a variable from session, use unset.

  3. #3
    rajug.replace('Raju Gautam'); bronze trophy Raju Gautam's Avatar
    Join Date
    Oct 2006
    Location
    Kathmandu, Nepal
    Posts
    4,013
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Unset will just unset (remove the variable) the particular session variable(s) but destroy will (the word itself describes) destroy all the sessions that means all the session variables will be removed/deleted. And if you want some session again then you need to restart the session. So what is your need? If you just want to unset a session variable (which can also be used in case of user logout) then go for unset function and pass the session variable(s) to it. Or if u don't want to have anything then go for session_destroy().
    Mistakes are proof that you are trying.....
    ------------------------------------------------------------------------
    PSD to HTML - SlicingArt.com | Personal Blog | ZCE - PHP 5

  4. #4
    SitePoint Addict
    Join Date
    Aug 2007
    Posts
    328
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    As I'm new to sessions I'm not really sure of it's full abilities and how it can be used.

    Why would I want to maintain a session after the user has logged out?

    The way I'm thinking is that once a user has logged out, that's it, it's over until they log in again I suppose.

    What should I be storing in a cookie other than a username if I'm integrating it with a database?

  5. #5
    SitePoint Zealot adam.jimenez's Avatar
    Join Date
    May 2009
    Location
    Ware, UK
    Posts
    136
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by stevex33 View Post
    As I'm new to sessions I'm not really sure of it's full abilities and how it can be used.

    Why would I want to maintain a session after the user has logged out?

    The way I'm thinking is that once a user has logged out, that's it, it's over until they log in again I suppose.

    What should I be storing in a cookie other than a username if I'm integrating it with a database?
    sessions will also be destroyed when a user closes their browser.
    if you want to have a "remember me" option you should use cookies.

    I would store the username and a one way password hash so that you can validate that the login is correct.

  6. #6
    rajug.replace('Raju Gautam'); bronze trophy Raju Gautam's Avatar
    Join Date
    Oct 2006
    Location
    Kathmandu, Nepal
    Posts
    4,013
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by stevex33 View Post
    Why would I want to maintain a session after the user has logged out?
    I am not sure in your particular case here that for what purpose you are using sessions. But there might be some cases that you want to store some values in the sessions even after the user logs out. If you don't have anything to do with sessions after user logs out then you can just destroy the session.
    Mistakes are proof that you are trying.....
    ------------------------------------------------------------------------
    PSD to HTML - SlicingArt.com | Personal Blog | ZCE - PHP 5

  7. #7
    SitePoint Zealot
    Join Date
    May 2009
    Location
    usa
    Posts
    113
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Session should be maintained till the user is at the site. For example, a user who selects items in shopping cart without loggin in wish to checkout at the end. There the session will be necessary irrespective of the login Id.

  8. #8
    SitePoint Wizard
    Join Date
    Nov 2005
    Posts
    1,191
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by stevex33 View Post
    I'm researching sessions and how to create and end them.
    I've come to the part where someone would want to log out and not have someone else on the same computer be able to instantly continue their session.

    Which should I use, unset or destroy?

    They both seem to do a similar job so I don't know which is more appropriate.

    And what would I want to store as a variable apart from the username?

    I'll be attempting to integrate the session handling with a mysql database (Haven't got that far in the book yet though )
    $_SESSION = array(); probably does what you want as well.

    Think about it like this:

    session_start() checks to see if there is a session id, and if not creates one (in a browser cookie by default). It then has a way to identify the browser when it requests a page - note: not a user, a browser.

    For example, let's say php set the session id as r2d2. When that browser requests another page, php goes "oh hey, it's r2d2, let me load his file". The file is the $_SESSION array.

    Now perhaps r2d2 logged out, and c3p0 started using the computer. When r2d2 logged, you would clear the "file", either through destroy, unset, or simply $_SESSION = array(). The session id (r2d2) is still there, none of those will clear it, for that you have to clear the cookie. However that doesn't really matter; there is no data left that means anything. The "file" for R2d2 is blank, so he can easily log on again as c3p0, in which case you create a new "file" (the $_SESSION array) for the new user. The session id just marks the browser.

  9. #9
    SitePoint Addict
    Join Date
    Aug 2007
    Posts
    328
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Okay, let me see if I get this right.

    r2d2 logs in, this creakes a cookie for r2d2, when he logs out, any data that's collected is removed, and there's just an empty cookie?

    So when c3po logs in does he use r2d2's cookie but it's filled with his own details, or is a new cookie created just for c3po? (All this is assuming that they're using the same computer)

  10. #10
    SitePoint Wizard
    Join Date
    Nov 2005
    Posts
    1,191
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Not quite, when you call session_start(), a cookie is created for the browser. Regardless of logged in.

    The $_SESSION array is stored on the server, and php associates the cookie value with a particular $_SESSION.

    When the user logs in you store data in the $_SESSION array to identify them.

    So on logout, you can just clear the server side data: $_SESSION = array(); (or destroy etc), and the browser cookie (session id) will no longer be associated with any data that identifies the user in your system.

    The cookie will still exist, session_destroy() won't remove it, but it's just a random string identifying the browser. Another user can login with the same cookie, and you would simply assign their details to $_SESSION.

  11. #11
    SitePoint Addict skunkbad's Avatar
    Join Date
    Apr 2008
    Location
    Temecula, CA
    Posts
    272
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by adam.jimenez View Post
    sessions will also be destroyed when a user closes their browser.
    if you want to have a "remember me" option you should use cookies.

    I would store the username and a one way password hash so that you can validate that the login is correct.
    You can easily set a session cookie to last after a user has closed their browser. You don't have to use regular cookies.

  12. #12
    SitePoint Addict
    Join Date
    Aug 2007
    Posts
    328
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well here's what I've got so far:

    Code:
    //Start Session
    session_start();
    //If the username and password are set by the form, then the uid and pwd are values are derived from there, otherwise, they're taken from the session
    $uid = isset($_POST['username']) ? $_POST[username'] : $_SESSION['uid']; 
    $pwd = isset($_POST['password']) ? $_POST['password'] : $_SESSION['pwd'];
    
    $_SESSION['uid'] = $uid; 
    $_SESSION['pwd'] = $pwd;
    When someone clicks logout, all just assign the session_destroy() to the click event.

    Will the above code be enough to maintain a session? What else should I be considering? I know I need to put a condition in to say if there is no session information from a filled in form or from an already existing session, they should be presented with a login form, but what else in terms of simply making a session work?

    And is it correct that I should put the session.auto_start, session.name etc into the php.ini file?

  13. #13
    SitePoint Zealot adam.jimenez's Avatar
    Join Date
    May 2009
    Location
    Ware, UK
    Posts
    136
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by stevex33 View Post
    Well here's what I've got so far:

    Code:
    //Start Session
    session_start();
    //If the username and password are set by the form, then the uid and pwd are values are derived from there, otherwise, they're taken from the session
    $uid = isset($_POST['username']) ? $_POST[username'] : $_SESSION['uid']; 
    $pwd = isset($_POST['password']) ? $_POST['password'] : $_SESSION['pwd'];
    
    $_SESSION['uid'] = $uid; 
    $_SESSION['pwd'] = $pwd;
    When someone clicks logout, all just assign the session_destroy() to the click event.

    Will the above code be enough to maintain a session? What else should I be considering? I know I need to put a condition in to say if there is no session information from a filled in form or from an already existing session, they should be presented with a login form, but what else in terms of simply making a session work?

    And is it correct that I should put the session.auto_start, session.name etc into the php.ini file?
    for portability just put session_start(); at the top of every page or in an include.

  14. #14
    SitePoint Addict
    Join Date
    Aug 2007
    Posts
    328
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I remember reading somewhere that session_start() must be above the <html> tag, so would putting it in an include work?

  15. #15
    SitePoint Zealot adam.jimenez's Avatar
    Join Date
    May 2009
    Location
    Ware, UK
    Posts
    136
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    an include can be above <html>

  16. #16
    SitePoint Addict
    Join Date
    Aug 2007
    Posts
    328
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    :O really?
    Ha, I didn't know that, I suppose it isn't that suprising though, I've just never done that before

    That's probably made everything much easier then, I could just have an entire header as a separate file and put that at the top of it.

    Does it matter where the rest of it goes? i.e. everything apart from the session_start() part? Probably makes sense to keep it all together, but can I put the rest somewhere else if I choose to?

    And am I correct in thinking that all of the session.name etc goes in php.ini?

  17. #17
    SitePoint Zealot adam.jimenez's Avatar
    Join Date
    May 2009
    Location
    Ware, UK
    Posts
    136
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by stevex33 View Post
    :O really?
    Ha, I didn't know that, I suppose it isn't that suprising though, I've just never done that before

    That's probably made everything much easier then, I could just have an entire header as a separate file and put that at the top of it.

    Does it matter where the rest of it goes? i.e. everything apart from the session_start() part? Probably makes sense to keep it all together, but can I put the rest somewhere else if I choose to?

    And am I correct in thinking that all of the session.name etc goes in php.ini?
    yep you can keep it altogether. just make sure session_start() comes first
    you don't need to edit php.ini to use sessions.

  18. #18
    SitePoint Addict
    Join Date
    Aug 2007
    Posts
    328
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    so where would I put:
    session.cookie_path
    session.cookie_lifetime
    session.name
    session.gc_maxlifetime
    etc ?

  19. #19
    SitePoint Zealot adam.jimenez's Avatar
    Join Date
    May 2009
    Location
    Ware, UK
    Posts
    136
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by stevex33 View Post
    so where would I put:
    session.cookie_path
    session.cookie_lifetime
    session.name
    session.gc_maxlifetime
    etc ?
    what's wrong with the defaults?

    or use ini_set() or htaccess if u have to.
    it's more portable that way.

  20. #20
    SitePoint Wizard
    Join Date
    Mar 2008
    Posts
    1,149
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If the session is only used for logging in, then you should manually destroy the session and kill the ID, otherwise you open a (minor) vulnerability.

  21. #21
    SitePoint Wizard
    Join Date
    Nov 2005
    Posts
    1,191
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by sk89q View Post
    ... and kill the ID, otherwise you open a (minor) vulnerability.
    Can you elaborate? I've never bothered to clean up the ID, just assumed that if it was no longer linked to anything server side it was meaningless.

    Edit, thinking it's because someone could grab the id between logout and next login to exploit??

  22. #22
    SitePoint Wizard
    Join Date
    Mar 2008
    Posts
    1,149
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, because the ID doesn't change but the data associated to the ID does.

    Although the likelihood that someone would do that is pretty small.

  23. #23
    SitePoint Addict
    Join Date
    Aug 2007
    Posts
    328
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Which ID are you talking about and how do I kill it?
    And when you say destroy the session, is session_destroy() what you mean?

  24. #24
    SitePoint Wizard
    Join Date
    Nov 2005
    Posts
    1,191
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The id stored in the cookie in the browser, you need to use cookie functions to remove it.
    session_destroy() will destroy the $_SESSION array.

  25. #25
    SitePoint Wizard
    Join Date
    Mar 2008
    Posts
    1,149
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, actually you can just re-generate the ID on login with session_regenerate_id(). It won't matter if the old ID sticks around then, because you won't be doing anything with it.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •