How to kill a/all php sessions?

Question

I have a very basic php session login script. I want to force logout of a certain user or force logout of all users.

How can I read all sessions made to my website,

Answer 1

You could try to force PHP to delete all the sessions by doing

ini_set('session.gc_max_lifetime', 0);
ini_set('session.gc_probability', 1);
ini_set('session.gc_divisor', 1);

That forces PHP to treat all sessions as having a 0-second lifetime, and a 100% probability of getting cleaned up.

The drawback is that whichever unlucky user runs this first will get a long pause while PHP does cleanup, especially if there's a lot of session files to go through.

For one particular user, you'd have to add some code to your session handler:

 if ($_SESSION['username'] == 'user to delete') {
     session_destroy();
 }

PHP's garbage collector isn't controllable, so you can't give it parameters such as "delete all sessions except for user X's". It looks strictly at the last-modified/last-accessed timestamps on the session files and compares that to the max_lifetime setting. It doesn't actually process the session data.