session_destroy() ends the whole session, meaning it will be removed from PHP’s session storage and can’t ever be used again. If you’d only unset the session variables and cookies, the session would still be active server-side and could potentially be recycled if some session variables are set again and the cookie with the original session ID is sent to the client again.

To put it in another way: a session basically consists of a secret ID stored somewhere on the web server, together with session variables registered to that session. The session ID is sent to the client (usually as a cookie) so the client can be identified as ‘owner’ of the session on later requests. Assuming a session has already been created and has variables registered to it, here’s an overview of what the functions do:

• session_start() imports all session variables belonging to the session ID that the client sent from the session registry to the $_SESSION array
• session_unset() or calling unset() on $_SESSION variables will clear all variables registered to the current session, but it will not clear the session itself
• Unsetting the session cookie of the client will signal to the client that the session is over, but this will not remove the session from the session registry on the server either
• session_destroy() is the only function that will actually purge the session from the session registry, thus literally ‘destroying’ the session

While session_destroy() will unregister all session variables, it won’t clear the $_SESSION array in the script that’s currently executing, so it’s still a good idea to unset the session variables to prevent bugs and security issues.

On a related note, the PHP manual recommends not to use session_unset() but rather unset the keys from $_SESSION:

If $_SESSION (or $HTTP_SESSION_VARS for PHP 4.0.6 or less) is used, use unset() to unregister a session variable, i.e. unset($_SESSION['varname']);.