Delicious Bookmark this on Delicious Share on Facebook SlashdotSlashdot It! Digg! Digg



PHP : Function Reference : Session Handling Functions : session_destroy

session_destroy

Destroys all data registered to a session (PHP 4, PHP 5)
bool session_destroy ( )

Example 2224. Destroying a session with $_SESSION

<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();

// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (isset($_COOKIE[session_name()])) {
   
setcookie(session_name(), '', time()-42000, '/');
}

// Finally, destroy the session.
session_destroy();
?>

Related Examples ( Source code ) » session_destroy


Code Examples / Notes » session_destroy

wade

You should also be careful when you destroy a session. I believe a previous user posted something similar to this but didn't emphasize this point.
If you are creating a new session, but want to make sure that  there are currently no sessions active by doing session_destroy(); make sure you start the session again using session_start(); or else your session data will not register properly.


powerlord

This code might be a bit better for expiring session cookies, in case your domain, path, and/or secure session cookie settings are changed.
   $CookieInfo = session_get_cookie_params();
   if ( (empty($CookieInfo['domain'])) && (empty($CookieInfo['secure'])) ) {
       setcookie(session_name(), '', time()-3600, $CookieInfo['path']);
   } elseif (empty($CookieInfo['secure'])) {
       setcookie(session_name(), '', time()-3600, $CookieInfo['path'], $CookieInfo['domain']);
   } else {
       setcookie(session_name(), '', time()-3600, $CookieInfo['path'], $CookieInfo['domain'], $CookieInfo['secure']);
   }
   unset($_COOKIE[session_name()]);
   session_destroy();


johan

Remember that session_destroy() does not unset $_SESSION at the moment it is executed.  $_SESSION is unset when the current script has stopped running.

colin

Note that when you are using a custom session handler, session_destroy will cause a fatal error if you have set the session destroy function used by session_set_save_handler to private.
Example:
Fatal error: Call to private method Session::sessDestroy()
where sessDestroy was the function I specified in the 5th parameter of session_set_save_handler.
Even though it isn't all that desirable, the simple solution is to set sessDestroy to public.


markus

Note that there's a bug with custom session handlers and when you want to start a session again after you have called session_destroy.
session_destroy disables the custom session_handler and this a call to session_start after it will fail with "Failed to initialize storage module".
See http://bugs.php.net/32330 for more information and a workaround.


rob a.t. mobius d.o.t. ph

I was experiencing problems with "sess_deleted" files and tracked it down to:
   setcookie(session_name(), '', time()-42000, '/');
When "setcookie" is passed an empty value (ie, ''), it changes the value to the string "deleted" and sets the date to exactly one year and one second in the past, ignoring the expiration parameter.*
So, I'm guessing that if a client machine has its time set to more than a year in the past or if the browser is somehow broken, then a site visitor could potentially send a PHPSESSID with a value of "deleted".  This will cause PHP to create a "sess_deleted" file in the sessions directory.
In my case, I was seeing several incidents per minute, with each user clobbering the other's session data causing all kinds of security and identity issues.  Two changes seemed to have solved the problem:
1) Use session_id() in place of '' in setcookie, as well as pick a date that's far in the past (in this case Jan 1, 1970, 8:00:01AM):
   setcookie(session_name(), session_id(), 1, '/');
2) Use session_regenerate_id() when logging a user in or otherwise changing their authority level.
Hope this helps somebody.
Rob
* Here is the relevant code in head.c:
   if (value && value_len == 0) {
       /*                                                                                                                                                                                                      
        * MSIE doesn't delete a cookie when you set it to a null value                                                                                                                                          
        * so in order to force cookies to be deleted, even on MSIE, we                                                                                                                                          
        * pick an expiry date 1 year and 1 second in the past                                                                                                                                                  
        */
       time_t t = time(NULL) - 31536001;
       dt = php_format_date("D, d-M-Y H:i:s T", sizeof("D, d-M-Y H:i:s T")-1, t, 0 TSRMLS_CC);
       sprintf(cookie, "Set-Cookie: %s=deleted; expires=%s", name, dt);


thomas

I did encounter a minor problem when I tried to remove the physical file that stores the session. The problem was that my working directory wasn't on the same drive as my PHP installation (yes, I used Windows).
So I used the PHP_BINDIR to start at the same place as PHP does and then change directory to the place that was specified in PHP.INI. This makes it transparent to relative paths in session.save_path.
<?php
function DeleteSessionID($sessionid) {
 $orgpath = getcwd();
 chdir(PHP_BINDIR);
 chdir(session_save_path());
 $path = realpath(getcwd()).'/';
 if(file_exists($path.'sess_'.$sessionid)) {
   // Delete it here
   unlink($path.'sess_'.$sessionid);
 } else {
   // File not found
 }
 chdir($orgpath);
}
?>
The final chdir($orgpath) is just to restore the working directory as it were before .


administrator

Destroying  a session from a background job
I have a thief-protection system that compares country codes from login IPs via whois. This has to run in the background as it is way too processor-hungry to be run in the browser.
What I needed was a way to destroy the web session from the background job. For some reason, a background session_destroy APPEARS to work, but doesnt't actually destroy the web session.
There is a work around, I set the username to NULL and the web code picks up on that, bouncing the user (thief) to a "gotcha" page where his IP is logged.
Yes I know its nasty and dirty, but surprisingly it works.
$sid = the session_id() of the suspicious web session, passed in $argv to the background job
The trick is to "stuff" the $_GET array with the sid, then the session_start in the background job picks this value up (as if it were a genuine trans-sid type thing...?PHPSESSID=blah) and "connects to" the web session. All $_SESSION variable can be viewed (and CHANGED , which is how this kludge works) but for some reason (that no doubt someone will illuminate) they can't be unset...setting the particular variable to NULL works well though:

$_GET[session_name()]=$sid;
session_start();
// prove we are getting the web session data
foreach($_SESSION as $k => $v) echo($k."=".$v);
// now kill the thief
$_SESSION['username']=NULL;
//web session variable now NULL - honestly!


r dot swets

Bothering with the timestamp can always give troubles. A lot better is forcing the sessionid to be regenrerated. A trick to destroy the session completly is actually restarting the session, like someone closed and reopened his browser. This will fix the whole authority problem and browser cookie deletion problem quite more easy, and it gives cleaner code without having to clean the $_SESSION array.
I would suggest the following function session_restart();
<?php
session_start();
// Some simple code etc etc
$requested_logout = true;
if ($requested_logout) {
   session_restart();
}
// Now the session_id will be different every browser refresh
print(session_id());
function session_restart()
{
   if (session_name()=='') {
       // Session not started yet
       session_start();
   }
   else {
       // Session was started, so destroy
       session_destroy();
       // But we do want a session started for the next request
       session_start();
       session_regenerate_id();
       // PHP < 4.3.3, since it does not put
       setcookie(session_name(), session_id());
   }
}
?>
NOTE: session_restart() acts like session_start(), so no output must be written before its called.


Change Language


Follow Navioo On Twitter
session_cache_expire
session_cache_limiter
session_commit
session_decode
session_destroy
session_encode
session_get_cookie_params
session_id
session_is_registered
session_module_name
session_name
session_regenerate_id
session_register
session_save_path
session_set_cookie_params
session_set_save_handler
session_start
session_unregister
session_unset
session_write_close
eXTReMe Tracker