session_destroy not unsetting the session_id

php session sessionid
AssamGuy picture AssamGuy · Dec 27, 2011 · Viewed 7.4k times · Source

I am working on an online ticket booking systems where after making successful booking(after payment) I want to clear the session id. But the thing is I am not able to clear it although I have used session_destroy() to destroy the session.

NB: I have echoed the session_id to check if its reset or not.

URL: http://7sisters.in/7sislabs/

function book_final_tickets()
{

    //var_dump($_SESSION);
    $session_id = session_id();


    $sql = "
        UPDATE
            tbl_seat_book
        SET
            final_book = 'Y'
        WHERE
            session_id = '$session_id'
    ";


    //session_unset();

    if($r = $this->db->executeQuery($sql)){
        if(session_destroy()){
            unset($session_id); 
            echo 'Booking successfull';
        }
    }
}

Answer

Rich Adams picture Rich Adams · Dec 27, 2011

session_destroy() alone won't remove the client-side cookie, so the next time the user visits, they'll still have the same session id set (but their server-side session info will have been destroyed).

From the docs (emphasis mine):

session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. ... In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted.

You can use session_regenerate_id(true) to generate a new session ID and delete the old one. Note that this will keep all of the information in $_SESSION as part of the new session ID, so you still need to use session_destroy if you want to clear the session info and start fresh.

e.g. 

<?php
    session_start();    
    $_SESSION['blah'] = true;

    var_dump(session_id()); // q4ufhl29bg63jbhr8nsjp665b1
    var_dump($_SESSION);    // blah = true

    session_unset();
    session_destroy();
    setcookie("PHPSESSID", "", 1); // See note below
    session_start();
    session_regenerate_id(true);

    var_dump(session_id()); // gigtleqddo84l8cm15qe4il3q3
    var_dump($_SESSION);    // (empty)
?>

and the headers will show the session ID changing on the client-side:

Request Header
Cookie:PHPSESSID=q4ufhl29bg63jbhr8nsjp665b1

Response Header
Set-Cookie:PHPSESSID=deleted; expires=Mon, 27-Dec-2010 16:47:57 GMT
PHPSESSID=gigtleqddo84l8cm15qe4il3q3; path=/

(You can get away without the setcookie() call here, since you're creating a new session anyway, so the cookie will be overwritten by the new ID, but it's good practice to explicitly destroy the old cookie).

Related questions

What is the length of a PHP session id string?

I'm making a table in a MySQL database to save some session data, including session_id. What should be the length of the VARCHAR to store the session_id string?

Read More
Session ID is changing in CodeIgniter

I am using the session feature of CodeIgniter, and I'm running this code: $session_id = $this->session->userdata('session_id'); echo "My Session ID is $session_id"; And it keeps changing every time I load the page. Does …

Read More
PHP: session isn't saving before header redirect

I have read through the php manual for this problem and it seems quite a common issue but i have yet to find a solution. I am saving sessions in a database. My code is as follows: // session $_SESSION['userID'] = $…

Read More