session_start(); session_regenerate_id(); session_destroy(); unset($_SESSION); session_start(); PHP: or session_start(); session_destroy(); unset($_SESSION); session_start(); PHP: Are the above codes valid??
session_start(); session_destroy(); unset($_SESSION); session_start(); session_regenerate_id(); Code (markup): ? almost the same? but why not loop all elements of the $_SESSION and remove them completely foreach ($_SESSION AS $k=>$v){ unset($_SESSION[$k]); } Code (markup): Then the session is 100% empty!
Instead of that mess, regenerate the ID passing true to the function. It will destroy the old session and data. http://php.net/manual/en/function.session-regenerate-id.php session_start(); session_regenerate_id(true); Code (markup): That's all you need to do. The regenerate_id function makes a whole new session ID. Passing true destroys the old session data. Passing false (the default) leaves the session data intact assigned to the new ID. So you don't need to waste time brute-forcing things. I usually call session_regenerate_id every time I do a session start -- it reduces the odds of a man in the middle or session hijack attack.