PHP 5.6.0beta1 released

session_destroy

(PHP 4, PHP 5)

session_destroyLöscht alle in einer Session registrierten Daten

Beschreibung

bool session_destroy ( void )

session_destroy() löscht alle in Verbindung mit der aktuellen Session stehenden Daten. Mit der Session zusammenhängende globale Variablen und das Session-Cookie werden nicht gelöscht. Um wieder Session-Variablen verwenden zu können, muss session_start() aufgerufen werden.

Um die Session komplett zu löschen, z.B. um einen Benutzer auszuloggen, muss auch die Session-ID gelöscht werden. Wenn zum Verfolgen der Session ein Cookie benutzt wird (standardmäßige Einstellung), muss das Session-Cookie gelöscht werden. Dafür kann setcookie() verwendet werden.

Rückgabewerte

Gibt bei Erfolg TRUE zurück. Im Fehlerfall wird FALSE zurückgegeben.

Beispiele

Beispiel #1 Löschen einer Session mit $_SESSION

<?php
// Initialisierung der Session.
// Wenn Sie session_name("irgendwas") verwenden, vergessen Sie es
// jetzt nicht!
session_start();

// Löschen aller Session-Variablen.
$_SESSION = array();

// Falls die Session gelöscht werden soll, löschen Sie auch das
// Session-Cookie.
// Achtung: Damit wird die Session gelöscht, nicht nur die Session-Daten!
if (ini_get("session.use_cookies")) {
    
$params session_get_cookie_params();
    
setcookie(session_name(), ''time() - 42000$params["path"],
        
$params["domain"], $params["secure"], $params["httponly"]
    );
}

// Zum Schluß, löschen der Session.
session_destroy();
?>

Anmerkungen

Hinweis:

Verwenden Sie session_unset() nur bei veraltetem Code, bei dem nicht $_SESSION benutzt wird.

Siehe auch

add a note add a note

User Contributed Notes 5 notes

up
16
Praveen V
1 year ago
If you want to change the session id on each log in, make sure to use session_regenerate_id(true) during the log in process.

<?php
session_start
();
session_regenerate_id(true);
?>

[Edited by moderator (googleguy at php dot net)]
up
3
Jack Luo
21 days ago
It took me a while to figure out how to destroy a particular session in php. Note I'm not sure if solution provided below is perfect but it seems work for me. Please feel free to post any easier way to destroy a particular session. Because it's quite useful for functionality of force an user offline.

1. If you're using db or memcached to manage session, you can always delete that session entry directly from db or memcached.

2. Using generic php session methods to delete a particular session(by session id).

<?php
$session_id_to_destroy
= 'nill2if998vhplq9f3pj08vjb1';
// 1. commit session if it's started.
if (session_id()) {
   
session_commit();
}

// 2. store current session id
session_start();
$current_session_id = session_id();
session_commit();

// 3. hijack then destroy session specified.
session_id($session_id_to_destroy);
session_start();
session_destroy();
session_commit();

// 4. restore current session id. If don't restore it, your current session will refer to the session you just destroyed!
session_id($current_session_id);
session_start();
session_commit();

?>
up
2
Colin
7 years ago
Note that when you are using a custom session handler, session_destroy will cause a fatal error if you have set the session destroy function used by session_set_save_handler to private.

Example:
Fatal error: Call to private method Session::sessDestroy()

where sessDestroy was the function I specified in the 5th parameter of session_set_save_handler.

Even though it isn't all that desirable, the simple solution is to set sessDestroy to public.
up
-2
administrator at anorhack dot com
6 years ago
Destroying  a session from a background job

I have a thief-protection system that compares country codes from login IPs via whois. This has to run in the background as it is way too processor-hungry to be run in the browser.

What I needed was a way to destroy the web session from the background job. For some reason, a background session_destroy APPEARS to work, but doesnt't actually destroy the web session.

There is a work around, I set the username to NULL and the web code picks up on that, bouncing the user (thief) to a "gotcha" page where his IP is logged.

Yes I know its nasty and dirty, but surprisingly it works.

$sid = the session_id() of the suspicious web session, passed in $argv to the background job

The trick is to "stuff" the $_GET array with the sid, then the session_start in the background job picks this value up (as if it were a genuine trans-sid type thing...?PHPSESSID=blah) and "connects to" the web session. All $_SESSION variable can be viewed (and CHANGED , which is how this kludge works) but for some reason (that no doubt someone will illuminate) they can't be unset...setting the particular variable to NULL works well though:

 
$_GET[session_name()]=$sid;
session_start();
// prove we are getting the web session data
foreach($_SESSION as $k => $v) echo($k."=".$v);
// now kill the thief
$_SESSION['username']=NULL;
//web session variable now NULL - honestly!
up
-28
luqui at yahoo dot com
6 months ago
If you want to destroy the session when it starts, don't forget to declare the session with your code because when you do that this will ensure that your session will be more effective. This also enhances the effieciency of you code.
To Top