Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    Regular Coder low tech's Avatar
    Join Date
    Dec 2009
    Posts
    852
    Thanks
    173
    Thanked 94 Times in 94 Posts

    session how to destroy properly

    Hi all

    Trying to understand sessions better.

    Three questions:

    1) How do you delete a session properly? -- I do version 3 below
    2) What happens to any session file that is left lying around if failed to delete.
    2) Can you delete cookie(assuming set), delete session AND REDIRECT with header("Location: login.php");

    I read that cookie sends header so cannot redirect as that also sends header.


    //testing deleting session in xampp

    I tested these three ways in xampp ---- I found only the last one actually deleted the session file,
    So is the last one the way it's done?

    PHP Code:
    session_start(); 
    session_unset();
    session_regenerate_id();
    header("Location: login.php");
    //result
    //old session file remains
    //new empty session file created



    session_start(); 
    session_regenerate_id();
    session_destroy();
    header("Location: login.php");
    //result
    //old session file remains



    session_start(); 
    session_unset();
    session_destroy();
    header("Location: login.php");

    //result
    //session file deleted -- ie gone. 
    LT
    "The greatest revenge is to accomplish what others say you cannot do."
    ~ Unknown

    I used to be indecisive, but now I'm not so sure.

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    You can certainly redirect if you want. You can send as many headers as you want, even conflicting ones, although conflicting ones require that you specify that they can override a previous header.

    None of these guarantee a session file will be deleted. Session_unset is an obsolete function that should be ignored as it is designed to work with registered globals. Session_destroy does the same thing, but works with superglobals. It doesn't unset the cookies though, so you must send a setcookie to remove the session_id.

    The removal of the session files is based on the OS in question and the garbage collection engine. Unless they've updated something (which by this point they may have), sessions will never be cleaned up on a windows system.

    What will force a session to clean up on call is the use of session_regenerate_id, but only if you provide it a value of true to indicate it can delete the old sessions. Problem with this is that it now creates a new session file, so its questionable at best to use it.

  • Users who have thanked Fou-Lu for this post:

    low tech (08-18-2012)

  • #3
    Super Moderator
    Join Date
    Feb 2009
    Location
    England
    Posts
    539
    Thanks
    8
    Thanked 63 Times in 54 Posts
    1) How do you delete a session properly? -- I do version 3 below
    I do $_SESSION = array();

    2) What happens to any session file that is left lying around if failed to delete.
    As Fou-Lu says, it's OS dependant. Blanking it as above *should* overwrite it, but data tends to sit around on a hard drive and can probably still be recovered by clever tools (if that's your concern).

    2) Can you delete cookie(assuming set), delete session AND REDIRECT with header("Location: login.php");
    Yes. Multiple headers can be set. The only real issue with headers is sending them after outputting some content, which will cause a warning.
    lamped.co.uk :: Design, Development & Hosting
    marcgray.co.uk :: Technical blog

  • Users who have thanked Lamped for this post:

    low tech (08-18-2012)

  • #4
    Regular Coder low tech's Avatar
    Join Date
    Dec 2009
    Posts
    852
    Thanks
    173
    Thanked 94 Times in 94 Posts
    Hi all

    Thank you Fou-Lu and Lamped for the clarity and detail of explanation.

    #lamped
    PHP Code:
    data tends to sit around on a hard drive and can probably still be recovered by clever tools (if thats your concern). 
    I don't really have a concern because my php coding doesn't involve sensitive data, just normal stuff. But realizing that session data is just left lying around does seem an odd way to do business in a tech world that is always talking about trying to protect data and make things more secure.

    Anyway, really very helpful.

    Thanks

    LT
    "The greatest revenge is to accomplish what others say you cannot do."
    ~ Unknown

    I used to be indecisive, but now I'm not so sure.

  • #5
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    Quote Originally Posted by low tech View Post
    Hi all

    Thank you Fou-Lu and Lamped for the clarity and detail of explanation.

    #lamped
    PHP Code:
    data tends to sit around on a hard drive and can probably still be recovered by clever tools (if thats your concern). 
    I don't really have a concern because my php coding doesn't involve sensitive data, just normal stuff. But realizing that session data is just left lying around does seem an odd way to do business in a tech world that is always talking about trying to protect data and make things more secure.

    Anyway, really very helpful.

    Thanks

    LT
    This depends on the extent of concern. When you "delete" a file, it typically only deletes an inode for it. So the data is still there, but the OS sees that block as writable, and eventually it will overwrite that block.
    From a session perspective, the garbage collection will get the files eventually and delete them. You can modify the probability that it will, but PHP's default is 1% chance that it will clean up old sessions.

  • #6
    Regular Coder low tech's Avatar
    Join Date
    Dec 2009
    Posts
    852
    Thanks
    173
    Thanked 94 Times in 94 Posts
    Hi

    Out of interest.

    When you "delete" a file, it typically only deletes an inode for it. So the data is still there, but the OS sees that block as writable, and eventually it will overwrite that block.
    Which I think means, the file has been deleted (marked as deleted so the block can be overwritten). The delete is made permanent when the block is overwritten.


    From a session perspective, the garbage collection will get the files eventually and delete them.
    So I guess these files are files not deleted, they are files left lying around which leads me to the question how does garbage collection know which files are old and of no use and can be deleted and which files are in use ?

    LT
    "The greatest revenge is to accomplish what others say you cannot do."
    ~ Unknown

    I used to be indecisive, but now I'm not so sure.

  • #7
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    The GC determines this based on the ini settings for the age. It checks the access time for the file when it cleans it up. Default in PHP is 24 minutes (1440 seconds).

  • Users who have thanked Fou-Lu for this post:

    low tech (08-19-2012)

  • #8
    Regular Coder low tech's Avatar
    Join Date
    Dec 2009
    Posts
    852
    Thanks
    173
    Thanked 94 Times in 94 Posts
    Hi Fou-Lu

    Thank for the info.

    It helps me to understand, in general, what is going on behind the scenes.


    LT
    "The greatest revenge is to accomplish what others say you cannot do."
    ~ Unknown

    I used to be indecisive, but now I'm not so sure.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •