Does Die() End Your Session in PHP

Does die() end your session in PHP?

No. As you can see on the PHP page: http://www.php.net/manual/en/function.exit.php (because die is equivalent to exit)

Shutdown functions and object destructors will always be executed
even if exit is called.

BUT, session_write_close is NOT a shutdown function. It will not run if you "die". I suggest you look into session_register_shutdown. This will register session_write_close() as a shutdown function and in this case, it will run on "die".

More Info: http://www.php.net/manual/en/function.session-register-shutdown.php

End Session in PHP

I'm going to take a wild stab and say that this answer will solve your problem.

Per the PHP Docs For session_destroy():

session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.

In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.

To sum up what seems to be your problem, the pesky session cookie (which identifies the session) is not being unset. Therefore, when you hit the back button, and session_start(); appears at the top of your script, the global session variables are still being referenced. As the other answer suggests, try:

$_SESSION = array();

to clear all of the global session data. Also, as the docs say, unset the session cookie.

PHP - Session destroy after closing browser

The best way is to close the session is: if there is no response for that session after particular interval of time. then close. Please see this post and I hope it will resolve the issue. "How to change the session timeout in PHP?"

When does a PHP session end?

If your session values are not linked to any cookie, the session will end when the windows browser will be closed.

If your session variable comes from a cookie, the session will end after time specified in the cookie file.

In PHP, sessions work with a cookie of type session. Server-side, the session information is constantly deleted.

To set the lifetime of a cookie in php, you can use the function session_set_cookie_params, before the session_start:

session_set_cookie_params(3600,"/");
session_start();

For ex, 3600 seconds is a one hour, for 2 hours 3600*2 = 7200.

But it's a session cookie, the browser can make it expire by himself, if you want to save longer sessions (like remember login), you need save the data in the server and a standard cookie on the client side.

Navigating away from a site when using cookies will not break the session.

proper way to logout from a session in PHP

From the session_destroy() page in the PHP manual:

<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();

// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}

// Finally, destroy the session.
session_destroy();
?>

What happens to the $_SESSION array if a PHP session times out in the middle of a request?

don't worry about such things. Nothing will happen to the session. It's initialised by sessioni_start() and $_SESSION will be always available within your script.

Destroy PHP Session on closing

if you use:

session_set_cookie_params(0);
session_start();

Your session cookie will destroy when the browser is closed... so your session will be good until they close the browser. IE. You login, and you are logged in, you close the browser, re-open it, go to the site again, and you wont be logged in.

How do I expire a PHP session after 30 minutes?

You should implement a session timeout of your own. Both options mentioned by others (session.gc_maxlifetime and session.cookie_lifetime) are not reliable. I'll explain the reasons for that.

First:

session.gc_maxlifetime
session.gc_maxlifetime specifies the number of seconds after which data will be seen as 'garbage' and cleaned up. Garbage collection occurs during session start.

But the garbage collector is only started with a probability of session.gc_probability divided by session.gc_divisor. And using the default values for those options (1 and 100 respectively), the chance is only at 1%.

Well, you could simply adjust these values so that the garbage collector is started more often. But when the garbage collector is started, it will check the validity for every registered session. And that is cost-intensive.

Furthermore, when using PHP's default session.save_handler files, the session data is stored in files in a path specified in session.save_path. With that session handler, the age of the session data is calculated on the file's last modification date and not the last access date:

Note: If you are using the default file-based session handler, your filesystem must keep track of access times (atime). Windows FAT does not so you will have to come up with another way to handle garbage collecting your session if you are stuck with a FAT filesystem or any other filesystem where atime tracking is not available. Since PHP 4.2.3 it has used mtime (modified date) instead of atime. So, you won't have problems with filesystems where atime tracking is not available.

So it additionally might occur that a session data file is deleted while the session itself is still considered as valid because the session data was not updated recently.

And second:

session.cookie_lifetime
session.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser. […]

Yes, that's right. This only affects the cookie lifetime and the session itself may still be valid. But it's the server's task to invalidate a session, not the client. So this doesn't help anything. In fact, having session.cookie_lifetime set to 0 would make the session’s cookie a real session cookie that is only valid until the browser is closed.

Conclusion / best solution:

The best solution is to implement a session timeout of your own. Use a simple time stamp that denotes the time of the last activity (i.e. request) and update it with every request:

if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) {
    // last request was more than 30 minutes ago
    session_unset();     // unset $_SESSION variable for the run-time 
    session_destroy();   // destroy session data in storage
}
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp

Updating the session data with every request also changes the session file's modification date so that the session is not removed by the garbage collector prematurely.

You can also use an additional time stamp to regenerate the session ID periodically to avoid attacks on sessions like session fixation:

if (!isset($_SESSION['CREATED'])) {
    $_SESSION['CREATED'] = time();
} else if (time() - $_SESSION['CREATED'] > 1800) {
    // session started more than 30 minutes ago
    session_regenerate_id(true);    // change session ID for the current session and invalidate old session ID
    $_SESSION['CREATED'] = time();  // update creation time
}

Notes:

  • session.gc_maxlifetime should be at least equal to the lifetime of this custom expiration handler (1800 in this example);
  • if you want to expire the session after 30 minutes of activity instead of after 30 minutes since start, you'll also need to use setcookie with an expire of time()+60*30 to keep the session cookie active.

Close session without writing or destroying it

Some months later after raising an issue the two new methods are now available in PHP 5.6, but the documentation arrived only with 5.6.2.

  • session_abort() – Discard session array changes and finish session, see the docs.
  • session_reset() – Re-initialize session array with original values, see the docs.

PHP Losing Session's Between pages

Remove the first exit;, this is stopping further execution.

Side note: I posted this as a community wiki since it was resolved in comments.


Related Topics

Ordering Doctrine Collection Based on Associated Entity When It Is Not Possible to Use the @Orderby Annotation

Datetime Now PHP MySQL (+ Pdo Variant)

Use PHP to Check If Page Was Accessed with Ssl

How to Get the Root Url of the Site

PHP - Swiftmailer Using Starttls and Self Signed Certificates

Calling a PHP Function from an HTML Form in the Same File

Difference Between Buffered and Unbuffered Queries

SQL - Insert and Catch the Id Auto-Increment Value

How Would You Transform a Pre-Existing Web App into a Multilingual One

How to Sort an Array by Similarity in Relation to an Inputted Word

Laravel Errno 150 Foreign Key Constraint Is Incorrectly Formed

Symfony 2.7 Cache:Clear Command Checks Every Database Connection

Force Cache Refresh After Deployment

Shortcodes Inside a Shortcode - Wordpress

Base64 Over Http Post Losing Data (Objective-C)

How to Add 5 Minutes to Current Datetime on PHP < 5.3

Receive Email Using PHP

How to Save/Redirect Output from Laravel Artisan Command


Leave a reply



Submit