In PHP manual, the description for session_destroy() function is :
session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.
I am confused about this description. If this function destroys all session data, then why the global variables associated with the session are not unset? Why can we use the session variables again?
If we read the description carefully, we can find what this function does is to delete all the data for the current session rather than the variables associated with the session. The end result is data in $_SESSION array is cleared but the $_SESSION variable is not deleted. It's the same as:
$_SESSION=array();
While other information associated with the session are not deleted such as the session id(SID), after calling session_destroy() and refreshing the page with session_start() called, the SID will still be available and its values are not changed.
For example:
<?php
session_start();
echo "SESSION ID : ".session_id().'<br />';
if(isset($_SESSION["name"])){
echo "VALUE 1 : ".$_SESSION["name"].'<br />';
}
$_SESSION["name"]="value";
echo "VALUE 2 : ".$_SESSION["name"].'<br />';
//session_destroy(); //Will delete all session data, but the session id(SID) will not be changed.
?>
The first time we execute the codes above we will get the output:
SESSION ID : ovjh17hvkbbduf5ladl1fd4jm5 VALUE 2 : value
While when we execute the above codes the second time, we will get the output:
SESSION ID : ovjh17hvkbbduf5ladl1fd4jm5 VALUE 1 : value VALUE 2 : value
Now if we uncomment the session_destroy() function and execute the above codes again twice, we will get the output :
SESSION ID : ovjh17hvkbbduf5ladl1fd4jm5 VALUE 2 : value
From the above output, we can see that $_SESSION["name"] is removed, but the session id is still there and also the $_SESSION.
