(PHP 4, PHP 5, PHP 7)
session_destroy — 销毁一个会话中的全部数据
session_destroy() 销毁当前会话中的全部数据, 但是不会重置当前会话所关联的全局变量, 也不会重置会话 cookie。 如果需要再次使用会话变量, 必须重新调用 session_start() 函数。
Note: 通常情况下,在你的代码中不必调用 session_destroy() 函数, 可以直接清除 $_SESSION 数组中的数据来实现会话数据清理。
为了彻底销毁会话,必须同时重置会话 ID。 如果是通过 cookie 方式传送会话 ID 的,那么同时也需要 调用 setcookie() 函数来 删除客户端的会话 cookie。
当启用了 session.use_strict_mode 配置项的时候,你不需要删除过期会话 ID 对应的 cookie, 因为会话模块已经不再接受携带过期会话 ID 的 cookie 了, 然后它会生成一个新的会话 ID cookie。 建议所有的站点都启用 session.use_strict_mode 配置项。
过早的删除会话中的数据可能会导致不可预期的结果。 例如,当存在从 JavaScript 或者 URL 链接过来的并发请求的时候, 某一个请求删除了会话中的数据,会导致其他的并发请求无法使用会话数据。
虽然当前的会话处理模块不会接受为空的会话 ID, 但是由于客户端(浏览器)的处理方式, 立即删除会话中的数据可能会导致生成为空的会话 cookie, 进而导致客户端生成很多不必要的会话 ID cookie。
为了避免这种情况的发生,你需要在 $_SESSION 中设置一个时间戳, 在这个时间戳之后的对于会话的访问都将被拒绝。 或者,确保你的应用中不存在并发请求。 这个规则同样适用于 session_regenerate_id()。 session_regenerate_id() also.
成功时返回 TRUE, 或者在失败时返回 FALSE。
Example #1 销毁会话数据以及 $_SESSION
<?php
// 初始化会话。
// 如果要使用会话,别忘了现在就调用:
session_start();
// 重置会话中的所有变量
$_SESSION = array();
// 如果要清理的更彻底,那么同时删除会话 cookie
// 注意:这样不但销毁了会话中的数据,还同时销毁了会话本身
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// 最后,销毁会话
session_destroy();
?>
Note:
对于旧版本中不使用 $_SESSION 的代码, 仅能使用 session_unset() 来完成会话销毁工作。
I'm using PHP 7.1 and received the following warning when implementing Example #1, above:
PHP message: PHP Warning: session_destroy(): Trying to destroy uninitialized session in...
What I discovered is that clearing $_SESSION and removing the cookie destroys the session, hence the warning. To avoid the warning while still keeping the value of using session_destroy(), do this after everything else:
if (session_status() == PHP_SESSION_ACTIVE) { session_destroy(); }
For session_destroy() only destroy current session mean that if you specify name or change the save path of session etc ,it will not destroy it mean for example
create.php
<?php
session_name('testing') ;
session_start() ;
$_SESSION['id'] = '35' ;
?>
delete.php
<?php
session_start() ;
session_destroy() ;
?>
session_destroy only delete the new session which is created by session_start(). correct way is
<?php
session_name('testing') ;
session_start() ;
session_destroy() ;
?>
this is also valid for if you change session.save path throught ini_set() , you have to mention in delete.php.
remember session_destroy() function destroy only current session not all .i hope this is worth to mention.
It took me a while to figure out how to destroy a particular session in php. Note I'm not sure if solution provided below is perfect but it seems work for me. Please feel free to post any easier way to destroy a particular session. Because it's quite useful for functionality of force an user offline.
1. If you're using db or memcached to manage session, you can always delete that session entry directly from db or memcached.
2. Using generic php session methods to delete a particular session(by session id).
<?php
$session_id_to_destroy = 'nill2if998vhplq9f3pj08vjb1';
// 1. commit session if it's started.
if (session_id()) {
session_commit();
}
// 2. store current session id
session_start();
$current_session_id = session_id();
session_commit();
// 3. hijack then destroy session specified.
session_id($session_id_to_destroy);
session_start();
session_destroy();
session_commit();
// 4. restore current session id. If don't restore it, your current session will refer to the session you just destroyed!
session_id($current_session_id);
session_start();
session_commit();
?>
If you want to change the session id on each log in, make sure to use session_regenerate_id(true) during the log in process.
<?php
session_start();
session_regenerate_id(true);
?>
[Edited by moderator (googleguy at php dot net)]
Destroying a session from a background job
I have a thief-protection system that compares country codes from login IPs via whois. This has to run in the background as it is way too processor-hungry to be run in the browser.
What I needed was a way to destroy the web session from the background job. For some reason, a background session_destroy APPEARS to work, but doesnt't actually destroy the web session.
There is a work around, I set the username to NULL and the web code picks up on that, bouncing the user (thief) to a "gotcha" page where his IP is logged.
Yes I know its nasty and dirty, but surprisingly it works.
$sid = the session_id() of the suspicious web session, passed in $argv to the background job
The trick is to "stuff" the $_GET array with the sid, then the session_start in the background job picks this value up (as if it were a genuine trans-sid type thing...?PHPSESSID=blah) and "connects to" the web session. All $_SESSION variable can be viewed (and CHANGED , which is how this kludge works) but for some reason (that no doubt someone will illuminate) they can't be unset...setting the particular variable to NULL works well though:
$_GET[session_name()]=$sid;
session_start();
// prove we are getting the web session data
foreach($_SESSION as $k => $v) echo($k."=".$v);
// now kill the thief
$_SESSION['username']=NULL;
//web session variable now NULL - honestly!
Note that when you are using a custom session handler, session_destroy will cause a fatal error if you have set the session destroy function used by session_set_save_handler to private.
Example:
Fatal error: Call to private method Session::sessDestroy()
where sessDestroy was the function I specified in the 5th parameter of session_set_save_handler.
Even though it isn't all that desirable, the simple solution is to set sessDestroy to public.