Home/ Questions/Q 6327925
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T17:22:01+00:00

Consider the following code: <?php if (!session_id()) session_start(); echo session_id(); session_destroy(); ?> How come

  • 0

Consider the following code:

<?php
    if (!session_id())
        session_start();
    echo session_id();
    session_destroy();
?>

How come everytime I refresh this page it shows the same session id, even though the session gets destroyed and recreated each time? Isn’t the session id cleared upon session destruction?

EDIT:

I’ve used this updated code, based on the favorite answer- however, the session id STILL perists! Any ideas?

if (!session_id())
        session_start();
echo session_id();

// Unset all of the session variables.
$_SESSION = array();


// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}

// Finally, destroy the session.
session_destroy();
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    session_destroy() destroys all of the data associated with the current
    session. It does not unset any of the global variables associated with
    the session, or unset the session cookie.     To use the session variables
    again, session_start() has to be called.

    In order to kill the session altogether, like to log the user out, the
    session id must also be unset. If a cookie is used to propagate the
    session id (default behavior), then the session cookie must be
    deleted. setcookie() may be used for that.

    http://php.net/manual/en/function.session-destroy.php

    The manual comes with a code-example:

    Example #1 Destroying a session with $_SESSION

    <?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();

// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}

// Finally, destroy the session.
session_destroy();
?>

    ** Update **

    PHP Version 5.3.6-13
    Linux lime 3.0.0-1-686-pae #1 SMP Wed Aug 17 04:28:34 UTC 2011 i686

    Apache/2.2.19 (Debian)

    Session Settings (phpinfo) 

    Directive           Local Value         Master Value
session.auto_start          Off         Off
session.bug_compat_42           Off         Off
session.bug_compat_warn         Off         Off
session.cache_expire            180         180
session.cache_limiter           nocache         nocache
session.cookie_domain           no value            no value
session.cookie_httponly         Off         Off
session.cookie_lifetime         0           0
session.cookie_path         /           /
session.cookie_secure           Off         Off
session.entropy_file            no value            no value
session.entropy_length          0           0
session.gc_divisor          1000            1000
session.gc_maxlifetime          1440            1440
session.gc_probability          0           0
session.hash_bits_per_character         5           5
session.hash_function           0           0
session.name            PHPSESSID           PHPSESSID
session.referer_check           no value            no value
session.save_handler            files           files
session.save_path           /var/lib/php5           /var/lib/php5
session.serialize_handler           php         php
session.use_cookies         On          On
session.use_only_cookies            On          On
session.use_trans_sid           0           0

    Update

    So. Following settings results in the same problem. if, and only if i’m sening the session id as a request parameter locahost?PHPSESSID=whatever

    ini_set('session.auto_start', 'on');
ini_set('session.use_trans_sid', 'on');
ini_set('session.use_cookies', 'off');
ini_set('session.use_only_cookies', 'off');

if(!session_id())
  session_start();

echo session_id();
// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}

// Finally, destroy the session.
session_destroy();

    IMPORTANT:
    this settings are valuable to Session Hijacking [Session fixation]

    • 0