Help with sessions

[rv20]

If you set a session on some page,

 

session_start();
$_session['user'] = "someusername";

 

 

Then if you unset that session on a different page

 

unset($_session['user']);

 

does that clear this 'user' session on every page or just the page you unset it on?

 

 

 

 

[PFMaBiSmAd]

There is only one set of $_SESSION variables per browser session. If you unset any session variable, that variable no longer exists in that browser's session.

 

If you are asking because something your are doing is not working, it is much better to post your code and state what it is or is not doing than to ask a general question about if something behaves a certain way (which you can generally find out by simply testing for yourself, quicker than waiting around in a forum for someone to answer.)

 

For your code you posted, $_session is not the same as $_SESSION. $_session is just a variable local to the current script. $_SESSION (assuming your have a session_start() statement) is a session variable.

[johntp]

You may want to do somehting like this if you're trying to log somone out.

 

<?php 
// logout.php 
session_start(); 
unset($_SESSION); 
// you may want to delete the session cookie 
if (isset($_COOKIE[session_name()])) { 
  setcookie(session_name(), '', time()-60); 
} 
session_destroy(); 
echo 'You have been logged out.'; 
?>

[rv20]

Thanks that has cleared all that up.

 

So if i have a login script and set a session var if all is validated,

 

session_start();
$_SESSION['user'] = $_POST['user'];

 

So that EVERY page that a user then goes to i can add this at the top of the page,

 

session_start();
if(!isset($_SESSION['user'])){

//whatever i have to do, redirect etc...
	 }

 

This allows me to see if the user is logged in, i can have a logout link linking to logout.php with logout.php simply,

 

session_start();
unset($_SESSION['user']);
header("location: home.php");

 

 

This seems all a bit simple i suppose if someone got hold of your session cookie or maybe there are other exploits (xss) or css injection, to get around this the could compromise your site, what other methods would you use to secure this method of checking for logged into via sessions?