search for in the  
<session_decodesession_encode>
Last updated: Thu, 19 May 2005

session_destroy

(PHP 4, PHP 5)

session_destroy -- Destroys all data registered to a session

Description

bool session_destroy ( void )

session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie.

In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.

Returns TRUE on success or FALSE on failure.

Example 1. Destroying a session with $_SESSION

<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();

// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (isset($_COOKIE[session_name()])) {
   setcookie(session_name(), '', time()-42000, '/');
}

// Finally, destroy the session.
session_destroy();
?>

Note: Only use session_unset() for older deprecated code that does not use $_SESSION.

See also unset() and setcookie().



User Contributed Notes
session_destroy
markus at fischer dot name
16-Mar-2005 03:09
Note that there's a bug with custom session handlers and when you want to start a session again after you have called session_destroy.

session_destroy disables the custom session_handler and this a call to session_start after it will fail with "Failed to initialize storage module".

See http://bugs.php.net/32330 for more information and a workaround.
n beh ih AT gmx dott nett
09-Jan-2005 07:57
[Editor's Note]
doing $_SESSION = array();
is faster/quicker and works aswell.
[/Note]

If you want to keep your session_id() unchanged, but you want to reset all session variables, BEWARE of unset($_SESSION). Doing so, and setting session variables (like $_SESSION['test']) afterwards has the effect, that your changes will not be saved at the end of your script (not even with session_write_close()).

So you better code like this:
foreach ($_SESSION as $VarName => $Value)  {
   unset ($_SESSION[$VarName]);
}
$_SESSION['test'] = 'MyTestValue';
Johan
19-Nov-2004 08:00
Remember that session_destroy() does not unset $_SESSION at the moment it is executed.  $_SESSION is unset when the current script has stopped running.
thomas at uninet dot se
07-Oct-2004 10:25
I did encounter a minor problem when I tried to remove the physical file that stores the session. The problem was that my working directory wasn't on the same drive as my PHP installation (yes, I used Windows).

So I used the PHP_BINDIR to start at the same place as PHP does and then change directory to the place that was specified in PHP.INI. This makes it transparent to relative paths in session.save_path.

<?php
function DeleteSessionID($sessionid) {
  $orgpath = getcwd();
  chdir(PHP_BINDIR);
  chdir(session_save_path());
  $path = realpath(getcwd()).'/';
  if(file_exists($path.'sess_'.$sessionid)) {
   // Delete it here
   unlink($path.'sess_'.$sessionid);
  } else {
   // File not found
  }
  chdir($orgpath);
}

?>

The final chdir($orgpath) is just to restore the working directory as it were before .
nhamill at wam dot umd dot edu
15-Aug-2003 10:36
For deleting the session cookie:
 setcookie( session_name() ,"",0,"/");
that worked for me.  When I ran that function without the last parameter, it didn't work.  If you leave out that parameter( domain ), it will default to the current directory, which isn't always the same as the session cookie's domain.

nick
powerlord at spamless dot vgmusic dot com
19-Nov-2002 01:41
This code might be a bit better for expiring session cookies, in case your domain, path, and/or secure session cookie settings are changed.

   $CookieInfo = session_get_cookie_params();
   if ( (empty($CookieInfo['domain'])) && (empty($CookieInfo['secure'])) ) {
       setcookie(session_name(), '', time()-3600, $CookieInfo['path']);
   } elseif (empty($CookieInfo['secure'])) {
       setcookie(session_name(), '', time()-3600, $CookieInfo['path'], $CookieInfo['domain']);
   } else {
       setcookie(session_name(), '', time()-3600, $CookieInfo['path'], $CookieInfo['domain'], $CookieInfo['secure']);
   }
   unset($_COOKIE[session_name()]);
   session_destroy();
msopacua at idg dot nl
02-Apr-2002 11:34
If you use sessions with HTTP Auth, you might find the code below do what you expect:
session.h.php - should be included in every 'protected' page:
<?php
   define("HTTP_AUTH_REALM", "Your authname here");
   session_start();
   if(!isset($_SESSION["uid"]))    {
       // No session, let's lookup the user.
       if(!isset($_COOKIE['login_attempts']))
       {
           unset($_SERVER['PHP_AUTH_USER']);
           // Gives the user 30 seconds to type the password.
           // Should be enough :-)
           setcookie('login_attempts', 1,time()+30);
       }
       if(!isset($_SERVER['PHP_AUTH_USER']))
       {
           header("WWW-Authenticate: Basic realm=\"".HTTP_AUTH_REALM."\"");
           header("HTTP/1.0 401 Unauthorized");
           echo("This is for authorized users only.");
           exit;
       }
// your session registering here
// Please note to verify a password and display a 403 error.
?>

logout.php:
<?php
require('session.h.php');
// Unset session data
$_SESSION=array();
// Clear cookie
unset($_COOKIE[session_name()]);
// Destroy session data
session_destroy();
// Redirect to clear the cookie.
$time=time();
header("Location: /logged_out.html?cache_defeat=$time");
exit;
?>

<session_decodesession_encode>
 Last updated: Thu, 19 May 2005
Copyright © 2001-2005 The PHP Group
All rights reserved.		 This unofficial mirror is operated at: The Server Pages
Last updated: Thu May 19 17:35:34 2005 CDT