is session_unset() the correct way to clear and reset PHP Sessions variables?

0
votes

I am working on a session management function in PHP. I found a webpage that shows how to implement session timeouts (https://solutionfactor.net/blog/2014/02/08/implementing-session-timeout-with-php/)... I noticed that they use session_unset() and session_destroy() methods.

I am confused about the use of session_unset()

In looking at the PHP Manual (https://www.php.net/manual/en/function.session-unset.php) there are notes that say:

The session_unset() function frees all session variables currently registered.

Note: If $_SESSION is used, use unset() to unregister a session variable, i.e. unset ($_SESSION['varname']);.

Caution Do NOT unset the whole $_SESSION with unset($_SESSION) as this will disable the registering of session variables through the $_SESSION superglobal.

Note: Only use session_unset() for older deprecated code that does not use $_SESSION.

Here is what I have, based on the example on the page previously cited. ($sysTime will be the server's time passed to the function when called.

//Define SYS_SES_TIMEOUT - How many seconds is a session valid for. 1800 seconds = 30 minutes
    define("SYS_SES_TIMEOUT", 1800);
    session_start();

    function fSessionMgmnt_isExpired($sysTime){
        if(isset($_SESSION['Expire_DT']) && ($sysTime - $_SESSION['Expire_DT']) > SYS_SES_TIMEOUT){
            session_unset(); session_destroy; session_start(); 
            //redirect to login page
        }else{//proceed to next check}
    }

My goal is that if the session is expired, the session is cleared out and the user is brought back to the login page to re-authenticate... where a new session would be created.

Based on the php manual, I am not sure if session_unset() is the correct method to use. Especially since session_destroy() says that it does not unset variables associated with the session and the session_unset() page notes about deprecated code.

Guidance is appreciated.

[Please note that while this has been flagged as a potential duplicate of PHP - Does session_unset unregister $_SESSION vars?, I have to disagree, the suggested post asks what the function does, while my question is asking for the proper way to handle a scenario. ]

2
php
Possible duplicate of PHP - Does session_unset unregister $_SESSION vars?pritaeas
Plese note there's a note in the manual: "Only use session_unset() for older deprecated code that does not use $_SESSION".Álvaro González

2 Answers

1
votes

session_destroy() function: It destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie.

Note: If it’s desired to kill the session, also delete the session cookie. This will destroy the session, and not just the session data.



session_unset() function: It deletes only the variables from session and session still exists. Only data is truncated.

You can visit this link for more information and find out what you really need.

You can also see the examples describe here

0
votes

the session_unset() function is used to destroy a single session variable. but session_destroy() function destroys the whole php session. So in your case it is better to use session_destroy().