I'm using PHP sessions as the focus for a user system on a website. As an admin of the site I would like to delete specific sessions to force users to logout. Or at least delete all the sessions so everyone has to login again (e.g. a major site update). Ideally by a php command, but if it is by deleting files I can obviously do this with php file commands.
I have shared linux web hosting (nothing special, has a cPanel interface).
I saw this question Are PHP session files ever deleted?
/tmp only has statistics files, and an empty pear folder.
In writing this I thought I best check phpinfo(). session.save_path is /tmp (local and master).
What sort of filenames am I looking for anyway?
Best Answer
The big question is whether you want to be able to delete sessions for nominated users - the concept of a user id is implemented via your application code or by the framework you are using - so PHP doesn't know how to differentiate between specific users. It's quite possible to have a session without having an identifiable user; session management, authentication and authorization are all seperate concerns and the functionality provided as standard within php only addresses the former.
Having said that PHP makes it very easy to implement your own session storage, so it should be trivial to write your own functions which maintain a mapping between the user id and the session id (this doesn't have to be done in the session handler - but it is the right place to do it).
If you just want to kill off all the sessions, and your using the default handler, then just delete the files in the directory specified by session.save_path in your php.ini file.