PHP Session Destroy after 30 Minutes

by Vincy. Last modified on January 17th, 2024.

PHP has a core function session_destroy() to clear all the session values. It is a simple no-argument function that returns a boolean true or false.

The PHP session ID is stored in a cookie by default. Generally that session cookie file is name PHPSESSID. The session_destroy function will not unset the session id in the cookie.

View Demo

To destroy the session ‘completely’, the session ID must also be unset.

This quick example uses session_destroy() to destroy the session. It uses the set_cookie() method to kill the entirety by expiring the PHP session ID.

Quick example

destroy-session.php

<?php
// Always remember to initialize the session,
// even before attempting to destroy it.

// Destroy all the session variables.
$_SESSION = array();

// delete the session cookie also to destroy the session
if (ini_get("session.use_cookies")) {
    $cookieParam = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000, $cookieParam["path"], $cookieParam["domain"], $cookieParam["secure"], $cookieParam["httponly"]);
}

// as a last step, destroy the session.
session_destroy();

Note:

  1. Use session_start() to reinitiate the session after the PHP session destroy.
  2. Use PHP $_SESSION to unset a particular session variable. For an older PHP version, use session_unset().

php session destroy output

About this login session_destroy() example

Let’s create a login example code to use PHP session, session_destroy and all. It allows users to login and logout from the current session. Use this code if you are looking for a complete user registration and login in PHP script.

This example provides an automatic login session expiry feature.

Landing page with a login form

This form posts the username and the password entered by the user. It verifies the login credentials in PHP.

On successful login, it stores the logged-in state into a PHP session. It sets the expiry time to 30 minutes from the last login time.

It stores the last login time and the expiry time into the PHP session. These two session variables are used to expire the session automatically.

login.php

<?php
session_start();
$expirtyMinutes = 1;
?>
<html>
<head>
<title>PHP Session Destroy after 30 Minutes</title>
<link rel='stylesheet' href='style.css' type='text/css' />
<link rel='stylesheet' href='form.css' type='text/css' />
</head>
<body>
    <div class="phppot-container">
        <h1>Login</h1>
        <form name="login-form" method="post">
            <table>
                <tr>
                    <td>Username</td>
                    <td><input type="text" name="username"></td>
                </tr>
                <tr>
                    <td>Password</td>
                    <td><input type="password" name="password"></td>
                </tr>
                <tr>
                    <td><input type="submit" value="Sign in"
                        name="submit"></td>
                </tr>
            </table>
        </form>
<?php
if (isset($_POST['submit'])) {
    $usernameRef = "admin";
    $passwordRef = "test";
    $username = $_POST['username'];
    $password = $_POST['password'];

    // here in this example code focus is session destroy / expiry only
    // refer for registration and login code https://phppot.com/php/user-registration-in-php-with-login-form-with-mysql-and-code-download/
    if ($usernameRef == $username && $passwordRef == $password) {
        $_SESSION['login-user'] = $username;
        // login time is stored as reference
        $_SESSION['ref-time'] = time();
        // Storing the logged in time.
        // Expiring session in 30 minutes from the login time.
        // See this is 30 minutes from login time. It is not 'last active time'.
        // If you want to expire after last active time, then this time needs
        // to be updated after every use of the system.
        // you can adjust $expirtyMinutes as per your need
        // for testing this code, change it to 1, so that the session
        // will expire in one minute
        // set the expiry time and
        $_SESSION['expiry-time'] = time() + ($expirtyMinutes * 60);
        // redirect to home
        // do not include home page, it should be a redirect
        header('Location: home.php');
    } else {
        echo "Wrong username or password. Try again!";
    }
}
?>
</div>
</body>
</html>

login

Dashboard validates PHP login session and displays login, and logout links

This is the target page redirected after login. It shows the logout link if the logged-in session exists.

Once timeout, it calls the destroy-session.php code to destroy all the sessions.

If the 30 minutes expiry time is reached or the session is empty, it asks the user to log in.

home.php

<?php
session_start();
?>
<html>
<head>
<title>PHP Session Destroy after 30 Minutes</title>
<link rel='stylesheet' href='style.css' type='text/css' />
<link rel='stylesheet' href='form.css' type='text/css' />
</head>
<body>
    <div class="phppot-container">
<?php
if (! isset($_SESSION['login-user'])) {
    echo "Login again!<br><br>";
    echo "<a href='login.php'>Login</a>";
} else {
    $currentTime = time();
    if ($currentTime > $_SESSION['expiry-time']) {
        require_once __DIR__ . '/destroy-session.php';
        echo "Session expired!<br><br><a href='login.php'>Login</a>";
    } else {
        ?>
        <h1>Welcome <?php echo $_SESSION['login-user'];?>!</h1>
        <a href='logout.php'>Log out</a>
<?php
    }
}
?>
</div>
</body>
</html>

This PHP code is used for users who want to log out before the session expiry time.

It destroys the session by requiring the destroy-session.php code. Then, it redirects the user to the login page.

logout.php

<?php
session_start();
require_once __DIR__ . '/destroy-session.php';
header('Location: login.php');
?>

I hope this example helps to understand how to destroy PHP sessions. And also, this is a perfect scenario that is suitable for explaining the need of destroying the session.
View Demo Download

Vincy
Written by Vincy, a web developer with 15+ years of experience and a Masters degree in Computer Science. She specializes in building modern, lightweight websites using PHP, JavaScript, React, and related technologies. Phppot helps you in mastering web development through over a decade of publishing quality tutorials.

Comments to “PHP Session Destroy after 30 Minutes”

  • abdul says:

    good evening,

    i hope you are well. does that destroy the session 30 minutes after logging in or 30 minutes after being logged in and inactive?

    please explain 42000 against 30minutes.

    thanks!

    • Vincy says:

      It is after the last login. If you want to expire after in-activity, you should record every time user does some activity.

Leave a Reply

Your email address will not be published. Required fields are marked *

↑ Back to Top

Share this page