1

I'm using PHP sessions as the focus for a user system on a website. As an admin of the site I would like to delete specific sessions to force users to logout. Or at least delete all the sessions so everyone has to login again (e.g. a major site update). Ideally by a php command, but if it is by deleting files I can obviously do this with php file commands.

I have shared linux web hosting (nothing special, has a cPanel interface). I saw this question Are PHP session files ever deleted?

/tmp only has statistics files, and an empty pear folder.

In writing this I thought I best check phpinfo(). session.save_path is /tmp (local and master). What sort of filenames am I looking for anyway?

Improve this question

1 Answer 1

Reset to default
1

The big question is whether you want to be able to delete sessions for nominated users - the concept of a user id is implemented via your application code or by the framework you are using - so PHP doesn't know how to differentiate between specific users. It's quite possible to have a session without having an identifiable user; session management, authentication and authorization are all seperate concerns and the functionality provided as standard within php only addresses the former.

Having said that PHP makes it very easy to implement your own session storage, so it should be trivial to write your own functions which maintain a mapping between the user id and the session id (this doesn't have to be done in the session handler - but it is the right place to do it).

If you just want to kill off all the sessions, and your using the default handler, then just delete the files in the directory specified by session.save_path in your php.ini file.

Improve this answer
4
  • As I said, session.save_path=/tmp, and there is nothing in there but files for the server statistics. Commented Nov 9, 2011 at 13:41
  • Sorry - must have missed that. Using /tmp for session data files os a bit untidy. On a nearby box running 5.1.6, my sessions are named like...sess_s1iov7jkdpv3sh80tn54tbf942 (i.e. all beginning with sess_ and owned by the webserver uid). If you've got no session files in session.save_path then they've either all been garbage collected (unlikely) or your code is overriding the path or loading a different handler. Commented Nov 11, 2011 at 10:47
  • I've tried deleting session files as suggested here, but the user is still logged in - does this still work in 5.4? Commented Mar 1, 2016 at 21:53
  • Yes, it still works in 5.4. Maybe your application doesn't use PHP sessions for session management. Commented Mar 1, 2016 at 22:35

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.