Trying to understand a session scenario.

jtp51

Scenario:

When a user logs in, the session ID is set to:

a2ad5e6b7f5e32f183ebe1c75f9c91c4

When a user logs out, I am using the following code in a logout script:

$_SESSION = array();
session_destroy();

Now, when I log in again, I thought I would get a different session ID, however I get the same session ID as noted above.

Summary:

I understand the two lines of code above clears the $_SESSION globals and destroys the session backing. Plus, I know the session ID is just a pointer to the session data and I also know that the only way to get a different session ID is to close and re-open the browser as well.

Therefore, will the two lines of code above really help in a situation in which a user logs out of an application and another user will log in, but through testing by just writing the session ID to the page, I found that they still have the same session ID?

Is this really an issue as long as I do have the two lines of code above?

Thank you.

devinemke

from the [man]session_destroy[/man] page in manual:

<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();

// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (isset($_COOKIE[session_name()])) {
   setcookie(session_name(), '', time()-42000, '/');
}

// Finally, destroy the session.
session_destroy();
?>

jtp51

THANK YOU!

I missed that...