I am working on a session management function in PHP. I found a webpage that shows how to implement session timeouts (https://solutionfactor.net/blog/2014/02/08/implementing-session-timeout-with-php/)... I noticed that they use session_unset() and session_destroy() methods.
I am confused about the use of session_unset()
In looking at the PHP Manual (https://www.php.net/manual/en/function.session-unset.php) there are notes that say:
The session_unset() function frees all session variables currently registered.
Note: If $_SESSION is used, use unset() to unregister a session variable, i.e. unset ($_SESSION['varname']);.
Caution Do NOT unset the whole $_SESSION with unset($_SESSION) as this will disable the registering of session variables through the $_SESSION superglobal.
Note: Only use session_unset() for older deprecated code that does not use $_SESSION.
Here is what I have, based on the example on the page previously cited. ($sysTime will be the server's time passed to the function when called.
//Define SYS_SES_TIMEOUT - How many seconds is a session valid for. 1800 seconds = 30 minutes
define("SYS_SES_TIMEOUT", 1800);
session_start();
function fSessionMgmnt_isExpired($sysTime){
if(isset($_SESSION['Expire_DT']) && ($sysTime - $_SESSION['Expire_DT']) > SYS_SES_TIMEOUT){
session_unset(); session_destroy; session_start();
//redirect to login page
}else{//proceed to next check}
}
My goal is that if the session is expired, the session is cleared out and the user is brought back to the login page to re-authenticate... where a new session would be created.
Based on the php manual, I am not sure if session_unset() is the correct method to use. Especially since session_destroy() says that it does not unset variables associated with the session and the session_unset() page notes about deprecated code.
Guidance is appreciated.
[Please note that while this has been flagged as a potential duplicate of PHP - Does session_unset unregister $_SESSION vars?, I have to disagree, the suggested post asks what the function does, while my question is asking for the proper way to handle a scenario. ]