How to destroy a specific PHP session

I am looking for insights into how to destroy a specific session in PHP. Through a partner website a user logs into the main website using a token and obtains a full session.

It is also possible for the partner website to call a destroy function if the user logouts from the partner website. We should then also log out our own user.

What is the best approach to this? The Zend_Session destroy method does not accept a parameter, similarly the PHP function session_destroy does neither.

I am considering two options:

1. Removing the session information directly from file/memcache but would prefer a "cleaner" approach than this.

2. Checking at every page request if this is a "token" user ; and if then check if their token was expired by mainta开发者_C百科ining a list. This adds overhead to a busy website, but might be my only option.

Or is there a third / better approach I am not seeing?

There's no need to roll-your-own session handling.

session_id() can take a parameter, the session id you want to work with.

So, when you pass the user off to the partner site, pass along their session_id (or some token, or whatever).

Then allow the partner site to hit a script like this:

kill-user-session.php

<?php
/**
 * Destroy any active session identified by $_POST['sid']
 */
session_id($_POST['sid']);
session_start(); //this line may not even be necessary
session_destroy(); //destroys that session.

So when the user logs out on the partner site, the partner site POSTs the session_id (that you gave them) to your kill-user-session script, and the user's session is destroyed on your server.

Of course, you probably want to limit access to kill-user-session.php via some method or another.

If you wish to be able to 'kick' the sessions of a user(s), the only way you can do it is if you use MySQL (or someother db, sqlite even) for your session storage.

Then you can simply remove entries from the db to kill a session.

This also allows you do do things such as, 'take control' of a specific user's session and other stuff :)

See this for a very basic run through: http://www.devshed.com/c/a/MySQL/Custom-Session-Management-Using-PHP-and-MySQL/ (not the best example but good enough full example to start you).

EDIT

Also, if logging out through the partner site, another method I have used in the past (which was with O2 and other such sites) they were given a 'callback' (REST API call in most cases) which they would also need to call when the user logs out of their site.

The database solution means that the session database needs to be shared between mainwebsite and the partner site, which frequently isn't the case etc. Maybe something along these trivial lines would suffice?

<img src="mainwebsite/logout.php">

mainwebsite/logout.php:

<?php session_destroy(); ?>