Is this a proper way to destroy all sessions in php?

Question

Got it from php.net, but I am not sure is this how everybody destroy all sessions??

// Unset all Sessions
$_SESSION = array();

if (isset($_COOKIE[session_name()])) {
    setcookie(session_name(), '', time() -42000, '/');
}

    session_destroy();

Does the code will destroy all the sessions?? Is it the most common way? how do you guys destroy php sessions??

Oh yeah, btw, what is that session_name()?? All session name? e.g $_SESSION['var1'], $_SESSION['var2']... ?

I dont need to use unset($_SESSION['var1']); any more right???

Whats the different between using session_destroy and unset($_SESSION[])??

Answer 1

This only destroys the current users session, not all the other users session.

Try using the session_save_path() to find out where the session data is being stored, and then delete all the files there.

Answer 2

session_name() is the name that's passed in the cookie / querystring. It's normally PHPSESSID but can be changed.

There's no proper way to destroy all sessions. As @Marius says, you could try deleting the session files from session_save_path() but that's a hack at best.

Alternatively you could use session_set_save_handler() to save your sessions to somewhere you have more control over, such as a database.

Answer 3

You should first know what sessions are: You can consider sessions as a data container on the server side that’s associated with a random identifier, the session ID. That session ID needs to be provided by the client so that the server can load the data associated to that session ID (and thus to that session) into the $_SESSION variable. Everything in that $_SESSION variable is also called session variables of the current active session.

Now to your questions:

Does the code will destroy all the sessions?? Is it the most common way? how do you guys destroy php sessions??

The provided code just deletes the session data of the current session. The $_SESSION = array(); statement will simply reset the session variable $_SESSION so that a future access on the session variable $_SESSION will fail. But the session container itself is not deleted yet. That will be done by calling session_destroy.

See also Truly destroying a PHP Session?

Oh yeah, btw, what is that session_name()?? All session name? e.g $_SESSION['var1'], $_SESSION['var2']... ?

The session_name is just used to identify the session ID parameter passed in a cookie, the URL’s query or via a POST parameter. PHP’s default value is PHPSESSID. But you can change it to whatever you want to.

I dont need to use unset($_SESSION['var1']); any more right???

No. The initial $_SESSION = array(); deletes all the session data.

Whats the different between using session_destroy and unset($_SESSION[])??

session_destroy will delete the whole session container while unset or resetting the $_SESSION variable will only delete the session data for the current runtime.

Answer 4

To destroy a single session, you should use the following:-

session_destroy();

Assuming you've used session_start() to previously start/resume a session.

Destroying all sessions really depends on your setup, and how you're handling sessions.

For most PHP installs, the session handling is done via files, so the best way would be to find the folder that keeps all the sessions (usually found from session_save_path()), and delete all the files under that.

I think though, the best way to handle this might be to pre-emptively set a timestamp in each session you create. This means that you can then compare that timestamp to a set point (the time when you want to invalidate all sessions) and invalidate the session if it's before that time. This also means that you can do things like set a specific timeout for a session, etc etc.

Another way might be to change to use Database Stored Sessions - you can find a good tutorial for this here