PHP $_SESSION variable will not unset

php session variables unset
B Rad C picture B Rad C · Sep 6, 2012 · Viewed 36k times · Source

sorry for a repetitive question, I've seen a few of these on this forum but none of the responses worked for me...

I am building a basic login using php sessions, which I'm new at...

login.php validates html login form and begins a session, setting variables: $_SESSION['login'] and $_SESSION['id],

then each page that requires a valid login uses require 'session.php'; which checks the $_SESSION['valid'] variable and redirects a user w/o proper login variable. The problem is when I logout neither session variable I've set will unset.

Right now my logout.php file uses about every method to destroy the variables that I've been able to find online and none will actually do it.

So whenever I log out, I can still access the 'private' pages.

Also note: I have tried it w/o a session name ex: session_start(); that didn't work so now I'm using session_start("user");

Also note: I am NOT using cookies.

Here are the files I mentioned:

login.php

$email=$_POST['email-log']; $pass=$_POST['password-log'];

$i=-1;

do
{$i++; $path="users/".$i.".json";
$file=  file_get_contents($path);
$x=json_decode($file,true);
} while($x['email']!=$email);
$id=$i;
$truepass=$x['pass'];

$errors=0;
$hash=hash('sha256',$pass);
if($hash != $truepass){$errors=$errors+1;}

if($errors==0){
        session_start("user");
        $_SESSION['login']="valid";
        $_SESSION['id']=$id;

    header('Location: loginlanding.php');}

else{header('Location: front.php?error=y');}

session.php

session_start("user"); if($_SESSION['login'] !== "valid") {header('Location: front.php?needto=login');}

logout.php

unset($_SESSION); unset($_SESSION['login']); unset($_SESSION['id']); session_unset("user"); $_SESSION=array(); session_destroy("user"); header('Location: front.php?logged=out');

Any and all responses are welcome and I thank you in advance, also note, I am new to logins in general so any advice to beef up security is welcome also. I'm planning on making it more secure, but first I need to get this basic functionality up and running.

Answer

Niet the Dark Absol picture Niet the Dark Absol · Sep 6, 2012

You should never unset($_SESSION).

The easiest way to clear the $_SESSION variable is $_SESSION = Array();

However, you can also iterate with unset: 

foreach(array_keys($_SESSION) as $k) unset($_SESSION[$k]);

Related questions

PHP Pass variable to next page

It seems pretty simple but I can't find a good way to do it. Say in the first page I create a variable $myVariable = "Some text"; And the form's action for that page is "Page2.php". So in Page2.php, …

Read More
What is the proper way to test CodeIgniter session variable?

Take the following code snippet. What is the best way to test to make sure the session variable isn't empty? <?php if ($this->session->userdata('userID')) { $loggedIn = 1; } else { $loggedIn = 0; } ?> If later in my script, I call …

Read More
How do I expire a PHP session after 30 minutes?

I need to keep a session alive for 30 minutes and then destroy it.

Read More