First (re: @Fred), not calling session start in a page certainly *won't* destroy a session (unless the session is otherwise due to expire). Nobody would use PHP if you got tossed out of BB2 / Drupal / Gallery / Joomla! / phpMyAdmin / WordPress / whatever just by running another application or a test script with no sessions on the same server.



Second (re: @Fred), if there's data that's only in the *session* and nowhere else and you terminate the session, the data will certainly be lost, and that would have everything to do with the session.



You can certainly remove the session termination from the error script from a PHP standpoint. Whether you want to do so or not is a programmer and/or business decision.



It probably *does* make sense to terminate if the error is related to an authentication or authorization process. Any associated data corruption has already taken place, so in any other scenario, terminating the session will neither protect the data nor will it likely keep the user from reauthenticating and reproducing the scenario. It just becomes a further source of frustration in an app that already has problems.



I whole-heartedly agree that you want to avoid showing the error details to production users.

A session will terminate if ANY page does not call session start. since mysql errors are database errors, this means the data is either not being stored or not recovered. NOTHING to do with the session itself. Forget the reporting script, forget the session loss. The only way you are ever going to fix this is to read through all the php and find those errors. This will require you to write your own debbugging routines into it to post messages at points where you can isolate the failure. Then re-writing the scripts.

Depending on the nature of the error, you probably want to kick the user out of the session so that a new login is required. To do anything else has possible security issues, not to mention possible data corruption, etc.



So pretty much, yah, you should terminate the session.



However, you can certainly save the pertinent information regarding the error first. After all, you can't diagnose the error and fix it if you can capture any information about it. Send all pertinent information to a log file, or to the web server logs, before putting up the error screen.



Do NOT display these errors on the screen to the user! A hacker can use that information to figure out your security vulnerabilities. Just display enough information so that the user knows who to contact that an error has occurred, and some very brief description of what went wrong.