What may cause inability to modify session in PHP?

Question

0.00/5 (No votes)

See more:

The objective is to delete id stored in session after logout.

Note:

1. session_start() has been called at the start of the request
2. Error reporting is turned on

What I have tried:

After using the usual unset, if I var_dump, it appears to have truly removed the id, yet the same id is available on subsequent requests to other routes. This doesn't apply to unset alone, as I have observed when inserting on that request too

PHP

public function signout () {

    unset($_SESSION['login_id'] );
    $_SESSION['jhg'] = 6778; // on next request to another route, this is nowhere to be found, while the login_id remains hail and hearty
    return [];
}

The only way I was able to successfully clear the value was with this hack

PHP

$eds = array_filter($_SESSION, function ($k) {
	return $k != 'login_id';
}, ARRAY_FILTER_USE_KEY);

$_SESSION = []; session_destroy(); 
session_start(); $_SESSION = $eds;

This works because I realized destroying the entire session is persisted across requests. That's the only operation on the superglobal that works on this particular request/route. Altering the session elsewhere works just as the docs say. What could be going on?

Posted 22-Mar-20 2:45am

nmeri17

Updated 22-Mar-20 3:10am

v2

Add a Solution

Comments

Mohibur Rashid 22-Mar-20 11:47am

just calling session_destroy() should do logout trick. You do not need anything else.

nmeri17 22-Mar-20 12:18pm

I couldn't call session_destroy because the session contains other variables I will probably use on other requests. I eventually discovered the problem was because of an warning/error being raised when writing some closure to session. PHP does not permit serializing closures to the session array, so it's some kind of transaction that is `committed` only after response is returned. In my case, the closure was causing the transaction to terminate even though request handler was visibly changing contents of the session array.

Thanks for stopping by

ZurdoDev 23-Mar-20 7:49am

If you want to remove just one session key all you have to do is set it to blank.

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)