Close a session and keep some of the session variables

Martins · 02-22-2012, 12:43 PM

How do I close a session and destroy most of the session variables whilst retaining a few chosen ones for use on another page?

This code works except for the following warning due to a second call on session_start(); - ‘session_start() [function.session-start]: Cannot send session cache limiter - headers already sent’

Can I do it without the warning? Thanks.

Code:

if ( isset ( $_SESSION['keep1'] )) {
   $keep1 = $_SESSION['keep1'];
   }
   if ( isset ( $_SESSION['keep2'] )) {
   $keep2 = $_SESSION['keep2'];
   }
      
   $_SESSION = array();
   
   session_destroy();
   
   session_start();

   if ( isset ($keep1)) {
   $_SESSION['keep1'] = $keep1;
   }
   if ( isset ($keep2)) {
   $_SESSION['keep2'] = $keep2;
   }

Mahdi Eftekhari · 02-22-2012, 01:45 PM

You cannot start a session in the middle of your code. session_start() must be the first thing after your <?php tag.
If you want to destroy some data from your session use unset function.

PHP Code:


			
unset($_SESSION['valueToBeDeleted'];

Regards
Mahdi Eftekhari

Fou-Lu · 02-22-2012, 01:48 PM

You can destroy a session wherever you want since the cookie needs to be manually. You can't start a session if you have previous output though.
Why destroy and recreate a session? Just unset what you don't need.

Martins · 02-22-2012, 02:02 PM

Thanks Fou-Lu and Mahdi Eftekhari.

The session variables are from a $_POST array created from a form so I would rather not address each variable individually.

What's the difference between unset and destroy? Particularly from a security perspective.

Mahdi Eftekhari · 02-22-2012, 02:14 PM

when you destroy a session, your session is gone along with all the data stored in session. There is no session anymore (It may also delete cookies - Not sure on this one).
When you unset a value in a session your value is gone but the session itself along with other values still exists and you can refer to them in other pages.
Security wise it does not make any difference. You destroy or unset based on your coding requirement. Just keep in mind you can only start a session at the top of your code before anything sent to output.

Mahdi Eftekhari · 02-22-2012, 02:18 PM

Quote:

Originally Posted by Martins

The session variables are from a $_POST array created from a form so I would rather not address each variable individually.

Can you store these variables in an array and then with a foreach loop unset them.

Regards
Mahdi Eftekhari

Mahdi Eftekhari · 02-22-2012, 02:26 PM

Forgot to mention, there is also a session_unset() function which keeps your session and frees all variables.
This is not useful if you want to keep some of your variables in your session. Just thought it is worth mentioning

Regards
Mahdi Eftekhari

litebearer · 02-22-2012, 02:49 PM

Is there some VALID reason why you NEED to unset/destroy those select session variables? In other words, what will it hurt if you simply ignore them?

Martins · 02-22-2012, 03:23 PM

Thanks for the feedback guys.

The variables I want to destroy are collected during completion of a form and are only meant to be there until the form is completed successfully. I don't want them retained after that for security reasons.

The variables I want to keep are already there from a previous page and reused so long as the browser remains open. The problem is that if the user visits the page with the form on it they are lost.

I have come to the conclusion that this can't be done (without the warning) unless I unset the form variables individually (or via a loop) and even then if I run session_destroy() they are lost.

Mahdi Eftekhari · 02-22-2012, 03:38 PM

I really did not get you on your last post. You want to keep them or you want to destroy them? because session_destroy() will delete all your session variables and you will have absolutely nothing. It's the same with session_unset().
But if you want to keep some then you have to unset() the ones you don't want to keep.

Could you put the code for your form and php which processes the form and highlight what exactly you want to achieve. I am sure there is a way to solve your problem I just did not get you - sorry.

Regards
Mahdi Eftekhari

Rowsdower! · 02-22-2012, 03:39 PM

Remember that the $_SESSION variable can hold arrays and not just simple string/int/etc. values.

If you put all $_POST array form data into, say, $_SESSION['form_data'] then it is in one single place that you can access it from. Then unsetting the form data requires no loop and no extra steps. Just unset($_SESSION['form_data']); and it all goes away in one swoop without marring any of your other session data.

The only thing you have to do for this is change your existing script that handles your $_POST data vis-a-vis the $_SESSION variable. You will have to drill down one step further, so something previously like this:

PHP Code:


			
$first_name = $_SESSION['form_first_name'];

will change to this:

PHP Code:


			
$first_name = $_SESSION['form_data']['form_first_name'];

Martins · 02-22-2012, 05:12 PM

Thanks Rowsdower.

I accept that this is the correct way to do it. I thought there might be an easier way.

Problem is that I have to rewrite the script a fair bit because the variables are used to repopulate the form when necessary.

For example, I amended this function to include 'form_data' as a new level and now have an error on the echo line
- unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING.

PHP Code:


			
function restore_text( $_SESSION, $name, $control, $session_name )

{

   if(isset($_SESSION['form_data'][$name])) {

      if($control == $session_name ) {

      echo "$_SESSION['form_data'][$name]";  

     }

   } 

}

From a security perspective, I still would not be able to destroy the session. Maybe this doesn't matter?

Cheers.

Rowsdower! · 02-22-2012, 06:19 PM

Remove the quotes around your echo'ed stuff in that code blurb and it will work out fine.

Martins · 02-23-2012, 08:47 AM

Thank you.