Asked  7 Months ago    Answers:  5   Viewed   41 times

I am new to learning Php. I have created the following code.

 * Testing Sessions with PHP
$_SESSION['user_id'] = 'Testing User';

    <title> Sessions Page</title>
       echo $_SESSION['user_id'];

Now the echo $_SESSION['user_id'] echos testing user. In my opinion it should not, as i have destroyed the session. what is the reason?



You need to unset the session vars. See

Means, put session_unset() before you destroy the session.

Saturday, May 29, 2021
answered 7 Months ago

the php-memcached extension supports session locking

the memcache and memcached extensions look syntactically similar so it may not be too much of a headache to give it a try. (memcached has a stable version 2.1.0 released 2012-08-07).

if you are set on using memcache 2.2.7 you will most likely have to implement the lock yourself by setting some "session_is_locked" variable in your session and then releasing/unsetting it when the script is done writing to the session. Then you'd always need to check if that variable is set before continuing with any scripts which write to the session.

Wednesday, March 31, 2021
answered 9 Months ago

session_destroy() destroys the active session. If you do not initialized the session, there will be nothing to be destroyed.

Thursday, July 29, 2021
answered 4 Months ago

I ran into the same issue and found the following solution in the documentation:

To run your functional tests, the WebTestCase class bootstraps the kernel of your application. In most cases, this happens automatically. However, if your kernel is in a non-standard directory, you'll need to modify your phpunit.xml.dist file to set the KERNEL_DIR environment variable to the directory of your kernel:

    <!-- ... -->
        <server name="KERNEL_DIR" value="/path/to/your/app/" />
    <!-- ... -->

So check your phpunit.xml.dist configuration file and try to add the absolute path to your app-directory.

Hope it helps.

Friday, July 30, 2021
Bálint Molnár
answered 4 Months ago

First of all you should read the Mozilla WebAppSec Security Coding Guideline - Session Management and OWASP A3-Broken Authentication and Session Management. You can configure PHP's session handler to meet these requirements.

The first flaw you should prevent is A9-Insufficient Transport Layer Protection. In short you do not want someone to hijack a session using a tool like Firesheep. This attack can be prevented by forcing the browser to only send the session id over https:


You can prevent an attacker from obtaining the session id using XSS by setting the httponly flag:


You always want to use a cookie to store your session id. If the session id can be passed using a GET or POST variable then an attacker could use Session Fixation attack to hijack a session. Another way of thinking about this attack is that you don't want an attacker to create a session for another user:


Next you want to make sure you have atleast 128 bits of entropy from a CSPRNG. Under *nix systems you can use /dev/urandom:


The session handler isn't everything. You still need to worry about Cross-Site Request Forgery attacks (aka CSRF or "Session Riding"), and Cross-Site Scripting (XSS). XSS can be used to defeat CSRF protection (even with http_only cookies!). Clickjacking can also be used by an attacker to perform unauthorized actions.

After you set these configuration options, just call session_start(). As for destroying the session call session_destroy() when the user logs out, its that simple!

Sunday, August 1, 2021
answered 4 Months ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :