Why I have to nullify all of the session variables?

Question

Why I have to nullify the session variables?Is session_destroy not enough?

<?php
     session_start();
     $_SESSION = array();// <--Is necessary?
     if (isset($_COOKIE[session_name()]])){
        setcookie(session_name(),'',time()-42000,'/');
     }
     session_destroy();
     header('Location:Login.php');
?>

score 2 · Accepted Answer · answered Nov 18 '11 at 16:58

2

It is a precautionary measure to nullify the values, just in case the object is not destroyed by the session_destroy();.

Just precautionary and good practice, it is not required.

Why are you starting a session and destroying it right away tho?

answered Nov 18 '11 at 16:58

Jakub

20,418
8
65
92

This is the logout out page.I use the `session_start` to detect the session cookie.I think is prerequisite το use it. – giannis christofakis Nov 18 '11 at 17:07
@giannosfor: In that case it's not necessary at all since you're relocating after `session_destory()` anyway. – Herbert Nov 18 '11 at 17:10
In which circumstances the object might not be destroyed by the `session_destroy`? – giannis christofakis Nov 18 '11 at 17:13

score 1 · Answer 2 · answered Nov 18 '11 at 17:00

You should use session_unset() and session_destroy() both. Note that session_destroy() only empties out the variables when the page is reloaded or redirected to some other page. As long as it's the same page, the variables are still usable after invoking session_destroy(), so it is best practice to use session_unset() just before session_destroy().

Why I have to nullify all of the session variables?

2 Answers2