Unset a specific session using session id

Question

I am the administrator of the site. I want unset a particular session, and I know its session id.

The users are just starting the session like this:

session_id("usernumber");
session_start();

Let’s say user A has usernumber "123".

I want to destroy all the values of the user A. User A will not regenerate the sessio_id() after setting that as session_id("123");.

How can I unset destroy only for user A?

A quick look into the docs reveals: [`session_unset()`](http://www.php.net/manual/function.session-unset.php). — Tomalak, Jul 15 '11 at 07:30
witch way users logs on? or its just open site with session handler? — Subdigger, Jul 15 '11 at 07:31
This comment could help you: http://www.php.net/manual/en/function.session-destroy.php#95809 — Fabrizio D'Ammassa, Jul 15 '11 at 07:37

score 13 · Answer 1 · answered Sep 13 '14 at 10:26

Answer by Jack Luo on php.net

$session_id_to_destroy = 'nill2if998vhplq9f3pj08vjb1';
// 1. commit session if it's started.
if (session_id()) {
    session_commit();
}

// 2. store current session id
session_start();
$current_session_id = session_id();
session_commit();

// 3. hijack then destroy session specified.
session_id($session_id_to_destroy);
session_start();
session_destroy();
session_commit();

// 4. restore current session id. If don't restore it, your current session will refer     to the session you just destroyed!
session_id($current_session_id);
session_start();
session_commit();

This one is excellent. Exactly what I was looking for so you can kick other people off system. — geilt, Apr 11 '17 at 23:35

score 9 · Accepted Answer · edited May 10 '17 at 07:13

9

Without reverse enginering the session handler....

<?php

session_id($_GET['killsid']);
session_start();
session_destroy() || die "failed to kill";

edited May 10 '17 at 07:13

sergio

5,210
7
24
46

answered Jul 15 '11 at 08:20

symcbean

47,736
6
59
94

Worked fine. Although, code by @Hardik Sondagar is better for safe implementation. – ZEESHAN ARSHAD Nov 09 '17 at 10:08

score 3 · Answer 3 · answered Jul 15 '11 at 07:48

3

You could try to get session_save_path() (in this directory session files are stored). When you are using default session names the filename looks like sess_jgimlf5edugvdtlaisumq0ham5 where jgimlf5edugvdtlaisumq0ham5 is user session id so you can just unlink this file unless you dont have permissions to edit those files.

answered Jul 15 '11 at 07:48

Norbert Orzechowicz

1,329
9
20

Works! public function drop_session($session_id) { unlink(session_save_path() . '/sess_' . $session_id); } – realmag777 Aug 03 '17 at 14:10
this should be the accepted answer! It doesn't require starting sessions. plain and simple! `+1` – Rotimi Oct 01 '18 at 10:05

score 2 · Answer 4 · answered Jul 15 '11 at 07:33

As far as I know, the only supported way to do so with the default session handler is to impersonate the user with session_id("usernumber"); and then remove the values.

You could also store sessions in a database, which would make this all pretty straightforward, yet you need to write your own session handling code.

BTW, the session ID is supposed to be a long random string which you cannot guess. Using 123 means that any anonymous visitor can easily log in with any user credentials.

Unset a specific session using session id

4 Answers4

Linked