Delicious Bookmark this on Delicious Share on Facebook SlashdotSlashdot It! Digg! Digg

PHP : Function Reference : Session Handling Functions : session_destroy


Destroys all data registered to a session (PHP 4, PHP 5)
bool session_destroy ( )

Example 2224. Destroying a session with $_SESSION

// Initialize the session.
// If you are using session_name("something"), don't forget it now!

// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (isset($_COOKIE[session_name()])) {
setcookie(session_name(), '', time()-42000, '/');

// Finally, destroy the session.

Related Examples ( Source code ) » session_destroy

Code Examples / Notes » session_destroy


You should also be careful when you destroy a session. I believe a previous user posted something similar to this but didn't emphasize this point.
If you are creating a new session, but want to make sure that  there are currently no sessions active by doing session_destroy(); make sure you start the session again using session_start(); or else your session data will not register properly.


This code might be a bit better for expiring session cookies, in case your domain, path, and/or secure session cookie settings are changed.
   $CookieInfo = session_get_cookie_params();
   if ( (empty($CookieInfo['domain'])) && (empty($CookieInfo['secure'])) ) {
       setcookie(session_name(), '', time()-3600, $CookieInfo['path']);
   } elseif (empty($CookieInfo['secure'])) {
       setcookie(session_name(), '', time()-3600, $CookieInfo['path'], $CookieInfo['domain']);
   } else {
       setcookie(session_name(), '', time()-3600, $CookieInfo['path'], $CookieInfo['domain'], $CookieInfo['secure']);


Remember that session_destroy() does not unset $_SESSION at the moment it is executed.  $_SESSION is unset when the current script has stopped running.


Note that when you are using a custom session handler, session_destroy will cause a fatal error if you have set the session destroy function used by session_set_save_handler to private.
Fatal error: Call to private method Session::sessDestroy()
where sessDestroy was the function I specified in the 5th parameter of session_set_save_handler.
Even though it isn't all that desirable, the simple solution is to set sessDestroy to public.


Note that there's a bug with custom session handlers and when you want to start a session again after you have called session_destroy.
session_destroy disables the custom session_handler and this a call to session_start after it will fail with "Failed to initialize storage module".
See for more information and a workaround.

rob a.t. mobius d.o.t. ph

I was experiencing problems with "sess_deleted" files and tracked it down to:
   setcookie(session_name(), '', time()-42000, '/');
When "setcookie" is passed an empty value (ie, ''), it changes the value to the string "deleted" and sets the date to exactly one year and one second in the past, ignoring the expiration parameter.*
So, I'm guessing that if a client machine has its time set to more than a year in the past or if the browser is somehow broken, then a site visitor could potentially send a PHPSESSID with a value of "deleted".  This will cause PHP to create a "sess_deleted" file in the sessions directory.
In my case, I was seeing several incidents per minute, with each user clobbering the other's session data causing all kinds of security and identity issues.  Two changes seemed to have solved the problem:
1) Use session_id() in place of '' in setcookie, as well as pick a date that's far in the past (in this case Jan 1, 1970, 8:00:01AM):
   setcookie(session_name(), session_id(), 1, '/');
2) Use session_regenerate_id() when logging a user in or otherwise changing their authority level.
Hope this helps somebody.
* Here is the relevant code in head.c:
   if (value && value_len == 0) {
        * MSIE doesn't delete a cookie when you set it to a null value                                                                                                                                          
        * so in order to force cookies to be deleted, even on MSIE, we                                                                                                                                          
        * pick an expiry date 1 year and 1 second in the past                                                                                                                                                  
       time_t t = time(NULL) - 31536001;
       dt = php_format_date("D, d-M-Y H:i:s T", sizeof("D, d-M-Y H:i:s T")-1, t, 0 TSRMLS_CC);
       sprintf(cookie, "Set-Cookie: %s=deleted; expires=%s", name, dt);


I did encounter a minor problem when I tried to remove the physical file that stores the session. The problem was that my working directory wasn't on the same drive as my PHP installation (yes, I used Windows).
So I used the PHP_BINDIR to start at the same place as PHP does and then change directory to the place that was specified in PHP.INI. This makes it transparent to relative paths in session.save_path.
function DeleteSessionID($sessionid) {
 $orgpath = getcwd();
 $path = realpath(getcwd()).'/';
 if(file_exists($path.'sess_'.$sessionid)) {
   // Delete it here
 } else {
   // File not found
The final chdir($orgpath) is just to restore the working directory as it were before .


Destroying  a session from a background job
I have a thief-protection system that compares country codes from login IPs via whois. This has to run in the background as it is way too processor-hungry to be run in the browser.
What I needed was a way to destroy the web session from the background job. For some reason, a background session_destroy APPEARS to work, but doesnt't actually destroy the web session.
There is a work around, I set the username to NULL and the web code picks up on that, bouncing the user (thief) to a "gotcha" page where his IP is logged.
Yes I know its nasty and dirty, but surprisingly it works.
$sid = the session_id() of the suspicious web session, passed in $argv to the background job
The trick is to "stuff" the $_GET array with the sid, then the session_start in the background job picks this value up (as if it were a genuine trans-sid type thing...?PHPSESSID=blah) and "connects to" the web session. All $_SESSION variable can be viewed (and CHANGED , which is how this kludge works) but for some reason (that no doubt someone will illuminate) they can't be unset...setting the particular variable to NULL works well though:

// prove we are getting the web session data
foreach($_SESSION as $k => $v) echo($k."=".$v);
// now kill the thief
//web session variable now NULL - honestly!

r dot swets

Bothering with the timestamp can always give troubles. A lot better is forcing the sessionid to be regenrerated. A trick to destroy the session completly is actually restarting the session, like someone closed and reopened his browser. This will fix the whole authority problem and browser cookie deletion problem quite more easy, and it gives cleaner code without having to clean the $_SESSION array.
I would suggest the following function session_restart();
// Some simple code etc etc
$requested_logout = true;
if ($requested_logout) {
// Now the session_id will be different every browser refresh
function session_restart()
   if (session_name()=='') {
       // Session not started yet
   else {
       // Session was started, so destroy
       // But we do want a session started for the next request
       // PHP < 4.3.3, since it does not put
       setcookie(session_name(), session_id());
NOTE: session_restart() acts like session_start(), so no output must be written before its called.

Change Language

Follow Navioo On Twitter
eXTReMe Tracker