Why Is PHP Session_Destroy() Not Working

Why is PHP session_destroy() not working?

After using session_destroy(), the session is destroyed behind the scenes. For some reason this doesn't affect the values in $_SESSION, which was already populated for this request, but it will be empty in future requests.

You can manually clear $_SESSION if you so desire ($_SESSION = [];).

session_destroy() doesn't work with PHP 7.0 on server

Note: You do not have to call session_destroy() from usual code. Cleanup $_SESSION array rather than destroying session data.

• From the manual

Show us your code page where you set $_SESSION = array(); This should be all you need to do. Check you have set session_start(); on this page:

session_start();
$_SESSION = []; //empty the array. 

--End of file.

If you want to make absolutely sure that it works ok you can try using something like this:

session_start();
$_SESSION = []; //empty array. 
session_write_close(); 

But note any further edits to any session data on this script will not be saved once the script completes.

---

You may also have an issue if your scripts are in different folders and the local php.ini session name is different in these different folders... Different names, different sessions.

Central PHP.ini:

session.name=somethingSessiony

local folder specific PHP.ini

session.name=somethingsessiony

If you feel this may be a factor try something like this:

error_log(__FILE__." : " .print_r(session_name(),true)); 

In both the file that clears the session data and the file that should be reading the "empty" session data.

Session_unset and session_destroy not working

You must definitely define a variable as session

for example:

LOGIN

<?php
session_start();
if($_POST['username']){
$_SESSION['username'] =$_POST['username']; // session run
}
?>

LOGOUT

<?php
    session_start();
    if($_POST['LOGOUT']=='exit'){
@session_unset();
    }
    ?>

You can also use
unset($_SESSION['username']);
instead of
session_unset();

Why session_destroy cannot unset the current session value php

The manual entry for session_destroy says:

session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie.

So, session_destroy() will destroy the data where it's actually stored (filesystem/memcached/Redis/whatever, depending on the session handler that has been configured), but the same data will still stay in memory in the $_SESSION superglobal, until you explicitly unset it, either with unset() or $_SESSION = [].

So, yes, you have to call session_destroy() after using unset(), as the example on the manual page for session_destroy() says: https://www.php.net/manual/en/function.session-destroy.php#refsect1-function.session-destroy-examples

And finally, to answer your primary question "Why session_destroy cannot unset the current session value php": because that's not what this function is for. The manual says it all. Just read it carefully and you'll know everything about session cleaning.

Why `session_destroy()` does not work in PHP?

For me, only the following combination works perfectly to destroy a session completely:

session_destroy();
session_unset();
session_regenerate_id(true);

Edit: Did you try this:

<?php
session_start();
$sid = session_id();
echo $sid;
echo "<br />";

//destroy session
session_destroy();
session_unset();

//now start the new session
session_start();
session_regenerate_id(true);
$sid = session_id();
echo $sid;
?>

It work's perfectly.

session_destroy not working after modifying session.save_path (where session data is saved on server)

As mentioned in comments
Perhaps your ini_set() code, or at least the path changing part, needs to be in your log out script as well.

In code form:

ini_set('session.save_path', '/home/server/.sessionsData');
session_start();
session_destroy();

header("location: https://website.com");

---

Related Topics