PHP session_destroy and session scope?

问题

OK there are many "simple session" questions out there, but I can't seem to find what I'm after. It bugs me a little bit as the PHP document does not seem to explain this well.

Three fold questions.

1. It says that session_destroy() wipes out the session data but not the global variable. So it wipes the data but the variables are still in tact? What does the documentation mean by global variables?

2. What are the different types of ways that I can use to destroy session data, isn't session_destroy enough? Why would you use the below coding as I've seen in some code examples:

   session_start();
   $_SESSION = array();
   session_destroy();
   

3. Session seem to persist across browser instances. For example, IE9 will keep the same session id when two separate browsers are opened. Same with Chrome. Only when I close all the browsers, will I get a new session id. Is this always the case for all browsers? I want to know so that I can keep this in mind during my coding - wouldn't want to find out later that some browsers are not persistent and my code thinks that it does, then run the risk of producing all sorts of errors.

Thanks in advance for anyone who can help me answer these questions.

回答1:

1. $_SESSION is the super global variable

2. The session_destroy function is basicly enough. It deletes the session_file on the server where all session-variables are stored and removes the session-cookie. The variables are after the session_destroy call still in the memory, but changing these values has no effect (except you call session_start() again).

   But the code snippet removes the variables from the memory too. This is important if for example the application checks for $_SESSION['admin'] later in the same request to see if the user has admin rights.

   The session_start() function is needed because you need to load the session first to delete it.

3. Sessions are not persistant across diffrent browsers, however they are persistant across all windows/tabs of the same browser. What happens if you close the browser really depends on your PHP-ini setting. session.cookie_lifetime defines how long (in seconds) the browser should keep the cookie (even after restart). If session.cookie_lifetime is set to 0 the browser deletes the session cookie when closing.

   session.gc_maxlifetime defines how long the webserver keeps the session file (without the session file the session-cookie is invalid)

回答2:

What does the documentation mean by global variables?

It's talking about the $_SESSION super-global variable.

What are the different types of ways that I can use to destroy session data, isn't session_destroy enough? Why would you use the below coding as I've seen in some code examples:

You use that to get rid of the contents of $_SESSION so the rest of the script doesn't use now-expired data. At some point in your script, you've decided that you're clearing a user's session, so you don't want any other logic to use that session day. By setting $_SESSION to an empty array, all of its prior contents are wiped.

Is this always the case for all browsers?

Yes, the session is associated with a particular user based on a cookie (typically), and will be sent to your site every time a user access the site (if they have the cookie), regardless of how many tabs are open or whether or not they are even using tabbed browsing.

来源：https://stackoverflow.com/questions/11740550/php-session-destroy-and-session-scope