Session class update with session destroy / start wrapper

session start wrapper as protected method

session destroy wrapper with _SESSION array unset

www/lib/CoreLibs/Create/Session.php

@@ -18,6 +18,19 @@ class Session
 	/** @var string list for errors */
 	private $session_intern_error_str = '';
 
+	/**
+	 * Start session
+	 * startSession should be called for complete check
+	 * If this is called without any name set before the php.ini name is
+	 * used.
+	 *
+	 * @return void
+	 */
+	protected function startSessionCall(): void
+	{
+		session_start();
+	}
+
 	/**
 	 * init a session, if array is empty or array does not have session_name set
 	 * then no auto init is run
@@ -58,19 +71,6 @@ class Session
 		return true;
 	}
 
-	/**
-	 * Start session
-	 * startSession should be called for complete check
-	 * If this is called without any name set before the php.ini name is
-	 * used.
-	 *
-	 * @return void
-	 */
-	public function startSessionCall(): void
-	{
-		session_start();
-	}
-
 	/**
 	 * Return set error string, empty if none set
 	 * Error strings are only set in the startSession method
@@ -206,6 +206,39 @@ class Session
 		return session_write_close();
 	}
 
+	/**
+	 * Proper destroy a session
+	 * - unset the _SESSION array
+	 * - unset cookie if cookie on and we have not strict mode
+	 * - destroy session
+	 *
+	 * @return bool
+	 */
+	public function sessionDestroy(): bool
+	{
+		$_SESSION = [];
+		if (
+			ini_get('session.use_cookies') &&
+			!ini_get('session.use_strict_mode')
+		) {
+			$session_name = $this->getSessionName();
+			if ($session_name === false) {
+				$session_name = '';
+			}
+			$params = session_get_cookie_params();
+			setcookie(
+				(string)$session_name,
+				'',
+				time() - 42000,
+				$params['path'],
+				$params['domain'],
+				$params['secure'],
+				$params['httponly']
+			);
+		}
+		return session_destroy();
+	}
+
 	/**
 	 * get session status
 	 * PHP_SESSION_DISABLED if sessions are disabled.