let me start directly with the code where the issue can be demonstrated and reproduced:
<?phpsession_start();// the outputif(isset($_SESSION["user"])){ assignSecret(); echo "welcome ".$_SESSION["user"]."<br>"; echo "your secret is ".$_SESSION["secret"];}else{ echo "no one is signed";}// sign out mechanismif(isset($_POST["signout"])){ // yes I want to unset only the user and keep all other session details // it's a desired behaviour unset($_SESSION["user"]); header("Location: " . $_SERVER['PHP_SELF']); exit();}// sign in mechanismif(isset($_POST["signin"])){ $_SESSION["user"]="world"; header("Location: " . $_SERVER['PHP_SELF']); exit();}// random BSfunction assignSecret(){ unset($_SESSION); // I actually reload session data from a database // but for the sake of simplificy let's assume: $_SESSION = ["user" => "world", "secret" => "xyz"];}?><!--All HTML stuff--><form method="post" action><input type="submit" name="signin" value="sign in"><input type="submit" name="signout" value="sign out"></form>I can sign in fine, but when I click sign out, here is what I think the order of execution is (I used xdebug to confirm this):
$_SESSION["user"]is set and soassignSecret()is executed$_POST["signout"]is also set and so$_SESSION["user"]gets unset- the script re-executes from the start because of
header()function - at this point
$_SESSION["user"]should be unset already, but it isn't, why ?
the expected result is for the signout to happen, no $_SESSION["user"] should be set any longer.but that doesn't happen.