[SOLVED] WHY WONT <? session_start(); session_destroy(); ?> log me out?

[emopoops]

i made a login script with the ability to acess the members only page if ur logged in correctly (the session set to true)

now when i go to my singout page which has this code

i can still acess my members only page and am still signed in?

how do i sign out?

 

<?
session_start();
session_destroy();
?>

isnt working

[eRott]

<?php
session_unset();
session_destroy();
?>

[MadTechie]

try

<?php
session_start();
$_SESSION = array();
if (isset($_COOKIE[session_name()])) {
    setcookie(session_name(), '', time()-42000, '/');
}
session_destroy();
?>

[MadTechie]

eRott, you will still need to Initialize the session first

[void]

or, probably

 

session_start();
session_destroy();
unset($_SESSION);

 

:-)

[MadTechie]

Caution

 

Do NOT unset the whole $_SESSION with unset($_SESSION) as this will disable the registering of session variables through the $_SESSION superglobal.

[eRott]

eRott, you will still need to Initialize the session first

 

Aye. Sorry, I probably should have clarified that. Yes, I know it  needs to be initialized first. Myself, I use it as a function.

 

function user_logout()
{
// End the session and unset all vars
session_unset();
session_destroy();
}

 

The session is already started elsewhere on the page.

 

Sorry for the confusion.

[emopoops]

session_start(); //yes, you still have to start the session
session_unset();
session_destroy();

 

that is what im using. i dont understand  the caution not to use the unset()

[MadTechie]

I mean it trashes the session ID, (could cause problems with other sessions etc)

basically bad practice

using session_unset is fine

however I would recommend you us this as it also clears the cookie as sometimes the sessions don't clear from the server this will also clear the link from the client

 

try

<?php
session_start();
$_SESSION = array();
if (isset($_COOKIE[session_name()])) {
    setcookie(session_name(), '', time()-42000, '/');
}
session_destroy();
?>

[emopoops]

do i have to use the 420000 can i change the number?

[MadTechie]

Sure that just sets the cookies expire time to a time in the pasted (forces it to delete itself)

[emopoops]

session_start(); //yes, you still have to start the session
session_unset();
session_destroy();
if (isset($_COOKIE[session_name()])) {
    setcookie(session_name(), '', time()-55, '/');
}

 

so i dont have to add ANYTHING ELLSE? that is taken from the page exactly to signout.

?

[MadTechie]

add

$_SESSION = array();

under

session_start()

it will clear the session details, yes i know your deleting them but its a just in case measure,

 

you could also redirect them to the home page

ie

at the end add

header("Location: index.php");

[emopoops]

i have a header url thanks.

i still dont get what the array means tho but ill add it

[MadTechie]

all your doing is removing details then removing the item itself

 

Now just say the session didn't get removed from the server (for whatever reason) that means the users details are still floating around on the server waiting to timeout right ?

 

Well by setting the details to an empty array they are no use to anyone so it doesn't matter as much compared to then holding valid user details.

[emopoops]

oh so its  changing them to empty?

is it ok to change the details to empty before doing the unset and destroy and cookie check?

[MadTechie]

Yes you should set it to empty before then as you do want it unset/removed, setting it to empty is just incase they fail.