Wednesday, September 16, 2009

Zend PHP 5 Certification Mock Exam: how to destroy a session

Here is another question about sessions from the Zend PHP 5 Certification Mock Exam. Good answers are in bold:
To destroy a PHP session completely, one must which of the following?
  • Regenerate the session ID using session_regenerate_id()
  • If cookies are used, destroy it
  • Use session_demolish() to completely destroy the session
  • Change the session name using session_name()
  • Destroy the session data using session_destroy()
A few words of explanation. To destroy a session we need to remove all the data associated with the session and try to prevent the client from requesting the session using the id. Usually the session id is stored on the client side as a cookie. In this case, we need to destroy the cookie, which means that the second answer is correct. To remove all the data stored associated with the session, we need to use session_destroy function, and this also means the last answer is correct. It is described briefly on the session_destroy manual page.

Regarding three remaining answers, regenerating session id is useful for preventing session fixation. There is not such a function as session_demolish() described in PHP manual. Changing session name does not remove the data, it simply changes the name of the cookie storing the session id.

No comments:

Post a Comment