This is my first time posting. I believe I've searched through a bit of the other forums to see if my question has already been asked, but I'm still left scratching my head. I know there's a lot of postings about expired sessions, but I'm thinking in terms of a specific scenario, I guess.
A user is logged into the Dashboard and goes to a page. It sits idle for how ever long, then the garbage collector does its thing and clears the session.
Now, if the user goes back to the Dashboard and clicks to go to another page, I would like to have the user return to the index page - effectively log out.
I have a logout page that the user can go to when they choose to log out. I record some data in the database, remove the session and redirects back to the home page.
I would like to first check if the session is indeed alive. If not, destroy it and redirect to the home page. Otherwise, delete it.
But my question is, if the garbage collector had already cleared the session, do I even need to destroy it?
<?php
session_start( );
if( !isset( $_SESSION['session'] ) ) {
session_destroy( );
header( "Location: /index.php" );
}
else {
// ... log the data I need in the database ...
$_SESSION['session'] = array( );
if( ini_get( "session.use_cookies" ) ) {
$params = session_get_cookie_params( );
setcookie( session_name( ), '', time( ) - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"] );
}
session_destroy( );
header( "Location: /index.php" );
}
?>
session_start() and session_destroy() aren't working with the garbage collector the way you think they are. They're utilizing internal adapters to allow PHP to talk to a persistence layer (generally the filesystem, in this case, the browsers cookies), to extract session information.
What you're doing when you call session_destroy(), is you're instructing your session ADAPTER to destroy the session, not so much PHP. PHP garbage collects the session memory usage constantly, but still maintains reference to the adapters persistence of the session data.
So, yes, you have to call it, unless you destroyed it already.
Short answer to your question: no, you don't have to destroy session yourself.
session_start() will always start or resume a session, and this session will always be "alive". Whether this session will have a flag of logged user or not is up to you though.
To determine user's logged in status you could just save some "flag" into session, for example: userId. Then, right after session_start() (except on login page) you can check this session variable. If it exists then user is logged in. If it doesn't, that means either new user or user with expired session cookie (logged out). In both cases you just redirect to login page. That's all.
Also, calling session_destroy() from usual code isn't recommended.