What the manual is saying is that you're not supposed to erase the $_SESSION variable itself, because PHP needs this for the session mechanism to work.
But you can and should overwrite the variable with an empty array during logout:
$_SESSION = array();
Otherwise, $_SESSION will still hold the old data while the script runs. This may confuse later parts of the code and make it assume the terminated session is still valid.
So logging out a user really consists of three different steps:
- session_destroy() deletes the session file on the server
- $_SESSION = array() clears all session data in the running script
- asking the client to delete the session cookie
If you forget the latter, the client will keep sending you the old ID, and PHP will reuse that ID for the next session. This isn't necessarily a problem as long as you properly renegerate the ID in the login procedure. But it's still somewhat unclean.
I strongly disagree with the statement that you can ignore session security, and I find it sad that people still believe TLS/SSL is only for banks. How many more hacks do we need until everybody realizes that they, too, are affected by threats?
Without TLS, you have absolutely no way to tell who got your data, what server you're talking to and whether the page you received is authentic. Anybody who happens to be between you and the server may read, intercept or manipulate the communication. Do you really wanna use your admin account in this environment?
Yes, you may simply hope that everybody arounds you plays nice. But I don't think this is the right attutide for running a website.
The same is true for session security: If you don't take care of security, then attackers will exploit that as soon as they find it worthwhile. It's not always about big money. It could simply be a script kiddie trying to impress some friends. Or maybe somebody is angry at you.
Security is crucial, no matter if you're running a bank or a small homepage. Both are at risk.
And, really, there's simply no excuse for not securing your site. Getting a free TLS certificate from StartSSL, including it in Apache and updating the php.ini is a matter of minutes and doesn't require any money or special knowledge.
Edited by Jacques1, 27 April 2014 - 01:09 PM.