Error while destroying session in PHP

7
votes

I am having problem in session handling in PHP(version 5.2.10). I am using the below mentioned functions for login, logout and validating sessions.

login()
{
    session_set_cookie_params(0);
    session_start();
    session_regenerate_id(true);
    $_SESSION['user_id']
}

validate_session()
{
    session_set_cookie_params(0);
    session_start();
    if (isset($_SESSION['user_id']) === FALSE) {
        session_destroy();
        logout();
        header("Location: login_page");
    }
}

logout()
{
    session_set_cookie_params(0);
    session_start();
    $_SESSION = array();
    setcookie(session_name(), '', time() - 3600, '/');
    session_destroy();
}

Every page first makes a call to validate_session() function. If session invalid it redirects to the login page. login() function is used for creating the session for the user. When user clicks logout, the logout() function is called to destroy the session.

The problem is: randomly the logout() function throws the warning:
Warning: session_destroy(): Session object destruction failed

I am getting this warning very infrequently. Like out of 20-30 calls to logout, I get it once. Any thoughts?

I am developing on a windows xp machine.

Update: The sessions are stored in file-system.
Path: C:\WINDOWS\Temp

3
phpsession
It seems it's been a long time since you've accepted any answer on stackoverflow...Matthieu Napoli
Yeah! I have not been very active in stackoverflow. And in some of the cases I haven't got a satisfactory answer yet.Varun
Hi Varun, Can you explain why you use the trip equals in that comparison? Usually if(!isset()) would be enough, I know it is more ironclad but isset() should only ever return a boolean, Do you really need to validate its type? It is probably not likely, but maybe that is occasionally returning true when it shouldn't?picus
Suggestion Add debug_print_backtrace() to the logout function, and keep track of the output then compare the outputs, if there a difference, its likely the different call path that's producing your error. (see php.net/manual/en/function.debug-print-backtrace.php)Glen Fletcher
Thanks everyone for your suggestions.I am not able to reproduce this (I am using the same code as earlier). In fact its long since I saw this error. Now I have no idea what was causing this.Varun

3 Answers

2
votes

Is logout() called elsewhere than in validate_session() ? If not, the problem might be the call to session_destroy() before logout()

You could try this:

validate_session()
{
    session_set_cookie_params(0);
    session_start();
    if ( !isset( $_SESSION['user_id'] ) ) {
        logout();
        header("Location: login_page");
    }
}

logout()
{
    $_SESSION = array();
    setcookie(session_name(), '', time() - 3600, '/');
    session_destroy();
}
0
votes

Found something which might be useful on this topic. The basic concerns are:

  1. Whether the session is valid to begin with -- what is the return value from session_start()?
  2. Whether the session files exist in the PHP.ini session.save_path and can be deleted.

I suspect in your case it is the first one. I don't remember where but I think I've seen the case where the session invalidated itself and then tried to repeat the process for some reason.

0
votes

How are you storing your sessions? If it is file based it may be a timeout or permissions error?

Also, i wonder if the regenerate_id is causing the destroy function to look for a session that isn't technically there anymore. Have you tried setting that boolean argument to false in the regenerate function?

We had this issue on a CakePHP app, but we corrected it by jiggering with the Cake settings.