I am creating a new mailing system, in which a number of user are logged in.
When a user logs out and I use session_destroy will it destroy sessions of other users also, or session_unset() a better option? My requirement is when a user logs out all sessions of that user should be destroyed.
Is unset($_SESSION['session_name']) a better option?. Please suggest.
Calling session_destroy does only destroy the stored session data of the current session. It does neither delete the data in $_SESSION nor does it invalidate the current session ID.
To invalidate all sessions of a certain account, you need to keep track of the active sessions that are associated to that account. You could, for example, use a table in a database where you store the session to account associations. Then all you need to do to invalidate all sessions that are associated to a certain account is to loop through all sessions and invalidate them one at a time:
// invalidate current session
$_SESSION = array();
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', 1, $params["path"], $params["domain"], $params["secure"], $params["httponly"]);
}
session_destroy();
// invalidate other sessions
$sessionIDs = array(/* … */); // IDs of sessions associated to current account
foreach ($sessionIDs as $sessionID) {
session_id($sessionID);
session_start();
$_SESSION = array();
session_destroy();
}
You said "other" sessions of that user so presumably you means destroy any sessions for that user account including some that may be in other browsers and hence different sessions on the server. Is that correct?
If you mean destroy all active sessions for the current user, even in other browser sessions, then storing your session status in a database will be the only nice way to do that.
