Title: WP_Session_Tokens Published: September 4, 2014 Last modified: May 20, 2026 --- # class WP_Session_Tokens {} ## In this article * [Methods](https://developer.wordpress.org/reference/classes/wp_session_tokens/?output_format=md#methods) * [Source](https://developer.wordpress.org/reference/classes/wp_session_tokens/?output_format=md#source) * [Related](https://developer.wordpress.org/reference/classes/wp_session_tokens/?output_format=md#related) * [Changelog](https://developer.wordpress.org/reference/classes/wp_session_tokens/?output_format=md#changelog) * [User Contributed Notes](https://developer.wordpress.org/reference/classes/wp_session_tokens/?output_format=md#user-contributed-notes) [ Back to top](https://developer.wordpress.org/reference/classes/wp_session_tokens/?output_format=md#wp--skip-link--target) Abstract class for managing user session tokens. ## 󠀁[Methods](https://developer.wordpress.org/reference/classes/wp_session_tokens/?output_format=md#methods)󠁿 | Name | Description | | [WP_Session_Tokens::__construct](https://developer.wordpress.org/reference/classes/wp_session_tokens/__construct/) | Protected constructor. Use the `get_instance()` method to get the instance. | | [WP_Session_Tokens::create](https://developer.wordpress.org/reference/classes/wp_session_tokens/create/) | Generates a session token and attaches session information to it. | | [WP_Session_Tokens::destroy](https://developer.wordpress.org/reference/classes/wp_session_tokens/destroy/) | Destroys the session with the given token. | | [WP_Session_Tokens::destroy_all](https://developer.wordpress.org/reference/classes/wp_session_tokens/destroy_all/) | Destroys all sessions for a user. | | [WP_Session_Tokens::destroy_all_for_all_users](https://developer.wordpress.org/reference/classes/wp_session_tokens/destroy_all_for_all_users/) | Destroys all sessions for all users. | | [WP_Session_Tokens::destroy_all_sessions](https://developer.wordpress.org/reference/classes/wp_session_tokens/destroy_all_sessions/) | Destroys all sessions for the user. | | [WP_Session_Tokens::destroy_other_sessions](https://developer.wordpress.org/reference/classes/wp_session_tokens/destroy_other_sessions/) | Destroys all sessions for this user, except the single session with the given verifier. | | [WP_Session_Tokens::destroy_others](https://developer.wordpress.org/reference/classes/wp_session_tokens/destroy_others/) | Destroys all sessions for this user except the one with the given token (presumably the one in use). | | [WP_Session_Tokens::drop_sessions](https://developer.wordpress.org/reference/classes/wp_session_tokens/drop_sessions/) | Destroys all sessions for all users. | | [WP_Session_Tokens::get](https://developer.wordpress.org/reference/classes/wp_session_tokens/get/) | Retrieves a user’s session for the given token. | | [WP_Session_Tokens::get_all](https://developer.wordpress.org/reference/classes/wp_session_tokens/get_all/) | Retrieves all sessions for a user. | | [WP_Session_Tokens::get_instance](https://developer.wordpress.org/reference/classes/wp_session_tokens/get_instance/) | Retrieves a session manager instance for a user. | | [WP_Session_Tokens::get_session](https://developer.wordpress.org/reference/classes/wp_session_tokens/get_session/) | Retrieves a session based on its verifier (token hash). | | [WP_Session_Tokens::get_sessions](https://developer.wordpress.org/reference/classes/wp_session_tokens/get_sessions/) | Retrieves all sessions of the user. | | [WP_Session_Tokens::hash_token](https://developer.wordpress.org/reference/classes/wp_session_tokens/hash_token/) | Hashes the given session token for storage. | | [WP_Session_Tokens::is_still_valid](https://developer.wordpress.org/reference/classes/wp_session_tokens/is_still_valid/) | Determines whether a session is still valid, based on its expiration timestamp. | | [WP_Session_Tokens::update](https://developer.wordpress.org/reference/classes/wp_session_tokens/update/) | Updates the data for the session with the given token. | | [WP_Session_Tokens::update_session](https://developer.wordpress.org/reference/classes/wp_session_tokens/update_session/) | Updates a session based on its verifier (token hash). | | [WP_Session_Tokens::verify](https://developer.wordpress.org/reference/classes/wp_session_tokens/verify/) | Validates the given session token for authenticity and validity. | ## 󠀁[Source](https://developer.wordpress.org/reference/classes/wp_session_tokens/?output_format=md#source)󠁿 ```php #[AllowDynamicProperties] abstract class WP_Session_Tokens { /** * User ID. * * @since 4.0.0 * @var int User ID. */ protected $user_id; /** * Protected constructor. Use the `get_instance()` method to get the instance. * * @since 4.0.0 * * @param int $user_id User whose session to manage. */ protected function __construct( $user_id ) { $this->user_id = $user_id; } /** * Retrieves a session manager instance for a user. * * This method contains a 'session_token_manager' filter, allowing a plugin to swap out * the session manager for a subclass of `WP_Session_Tokens`. * * @since 4.0.0 * * @param int $user_id User whose session to manage. * @return WP_Session_Tokens The session object, which is by default an instance of * the `WP_User_Meta_Session_Tokens` class. */ final public static function get_instance( $user_id ) { /** * Filters the class name for the session token manager. * * @since 4.0.0 * * @param string $session Name of class to use as the manager. * Default 'WP_User_Meta_Session_Tokens'. */ $manager = apply_filters( 'session_token_manager', 'WP_User_Meta_Session_Tokens' ); return new $manager( $user_id ); } /** * Hashes the given session token for storage. * * @since 4.0.0 * * @param string $token Session token to hash. * @return string A hash of the session token (a verifier). */ private function hash_token( $token ) { return hash( 'sha256', $token ); } /** * Retrieves a user's session for the given token. * * @since 4.0.0 * * @param string $token Session token. * @return array|null The session, or null if it does not exist. */ final public function get( $token ) { $verifier = $this->hash_token( $token ); return $this->get_session( $verifier ); } /** * Validates the given session token for authenticity and validity. * * Checks that the given token is present and hasn't expired. * * @since 4.0.0 * * @param string $token Token to verify. * @return bool Whether the token is valid for the user. */ final public function verify( $token ) { $verifier = $this->hash_token( $token ); return (bool) $this->get_session( $verifier ); } /** * Generates a session token and attaches session information to it. * * A session token is a long, random string. It is used in a cookie * to link that cookie to an expiration time and to ensure the cookie * becomes invalidated when the user logs out. * * This function generates a token and stores it with the associated * expiration time (and potentially other session information via the * 'attach_session_information' filter). * * @since 4.0.0 * * @param int $expiration Session expiration timestamp. * @return string Session token. */ final public function create( $expiration ) { /** * Filters the information attached to the newly created session. * * Can be used to attach further information to a session. * * @since 4.0.0 * * @param array $session Array of extra data. * @param int $user_id User ID. */ $session = apply_filters( 'attach_session_information', array(), $this->user_id ); $session['expiration'] = $expiration; // IP address. if ( ! empty( $_SERVER['REMOTE_ADDR'] ) ) { $session['ip'] = $_SERVER['REMOTE_ADDR']; } // User-agent. if ( ! empty( $_SERVER['HTTP_USER_AGENT'] ) ) { $session['ua'] = wp_unslash( $_SERVER['HTTP_USER_AGENT'] ); } // Timestamp. $session['login'] = time(); $token = wp_generate_password( 43, false, false ); $this->update( $token, $session ); return $token; } /** * Updates the data for the session with the given token. * * @since 4.0.0 * * @param string $token Session token to update. * @param array $session Session information. */ final public function update( $token, $session ) { $verifier = $this->hash_token( $token ); $this->update_session( $verifier, $session ); } /** * Destroys the session with the given token. * * @since 4.0.0 * * @param string $token Session token to destroy. */ final public function destroy( $token ) { $verifier = $this->hash_token( $token ); $this->update_session( $verifier, null ); } /** * Destroys all sessions for this user except the one with the given token (presumably the one in use). * * @since 4.0.0 * * @param string $token_to_keep Session token to keep. */ final public function destroy_others( $token_to_keep ) { $verifier = $this->hash_token( $token_to_keep ); $session = $this->get_session( $verifier ); if ( $session ) { $this->destroy_other_sessions( $verifier ); } else { $this->destroy_all_sessions(); } } /** * Determines whether a session is still valid, based on its expiration timestamp. * * @since 4.0.0 * * @param array $session Session to check. * @return bool Whether session is valid. */ final protected function is_still_valid( $session ) { return $session['expiration'] >= time(); } /** * Destroys all sessions for a user. * * @since 4.0.0 */ final public function destroy_all() { $this->destroy_all_sessions(); } /** * Destroys all sessions for all users. * * @since 4.0.0 */ final public static function destroy_all_for_all_users() { /** This filter is documented in wp-includes/class-wp-session-tokens.php */ $manager = apply_filters( 'session_token_manager', 'WP_User_Meta_Session_Tokens' ); call_user_func( array( $manager, 'drop_sessions' ) ); } /** * Retrieves all sessions for a user. * * @since 4.0.0 * * @return array Sessions for a user. */ final public function get_all() { return array_values( $this->get_sessions() ); } /** * Retrieves all sessions of the user. * * @since 4.0.0 * * @return array Sessions of the user. */ abstract protected function get_sessions(); /** * Retrieves a session based on its verifier (token hash). * * @since 4.0.0 * * @param string $verifier Verifier for the session to retrieve. * @return array|null The session, or null if it does not exist. */ abstract protected function get_session( $verifier ); /** * Updates a session based on its verifier (token hash). * * Omitting the second argument destroys the session. * * @since 4.0.0 * * @param string $verifier Verifier for the session to update. * @param array $session Optional. Session. Omitting this argument destroys the session. */ abstract protected function update_session( $verifier, $session = null ); /** * Destroys all sessions for this user, except the single session with the given verifier. * * @since 4.0.0 * * @param string $verifier Verifier of the session to keep. */ abstract protected function destroy_other_sessions( $verifier ); /** * Destroys all sessions for the user. * * @since 4.0.0 */ abstract protected function destroy_all_sessions(); /** * Destroys all sessions for all users. * * @since 4.0.0 */ public static function drop_sessions() {} } ``` [View all references](https://developer.wordpress.org/reference/files/wp-includes/class-wp-session-tokens.php/) [View on Trac](https://core.trac.wordpress.org/browser/tags/7.0/src/wp-includes/class-wp-session-tokens.php#L15) [View on GitHub](https://github.com/WordPress/wordpress-develop/blob/7.0/src/wp-includes/class-wp-session-tokens.php#L15-L290) ## 󠀁[Related](https://developer.wordpress.org/reference/classes/wp_session_tokens/?output_format=md#related)󠁿 | Used by | Description | | [WP_User_Meta_Session_Tokens](https://developer.wordpress.org/reference/classes/wp_user_meta_session_tokens/)`wp-includes/class-wp-user-meta-session-tokens.php` | Meta-based user sessions token manager. | ## 󠀁[Changelog](https://developer.wordpress.org/reference/classes/wp_session_tokens/?output_format=md#changelog)󠁿 | Version | Description | | [4.0.0](https://developer.wordpress.org/reference/since/4.0.0/) | Introduced. | ## 󠀁[User Contributed Notes](https://developer.wordpress.org/reference/classes/wp_session_tokens/?output_format=md#user-contributed-notes)󠁿 1. [Skip to note 2 content](https://developer.wordpress.org/reference/classes/wp_session_tokens/?output_format=md#comment-content-4790) 2. [Adriano G. V. Esposito](https://profiles.wordpress.org/adriano-esposito/) [ 5 years ago ](https://developer.wordpress.org/reference/classes/wp_session_tokens/#comment-4790) 3. [You must log in to vote on the helpfulness of this note](https://login.wordpress.org?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fclasses%2Fwp_session_tokens%2F%23comment-4790) Vote results for this note: 2[You must log in to vote on the helpfulness of this note](https://login.wordpress.org?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fclasses%2Fwp_session_tokens%2F%23comment-4790) 4. ```php /*** Destroy sessions by user ID */ // get all sessions for user with ID $user_id $sessions = WP_Session_Tokens::get_instance($user_id); // we have got the sessions, destroy them all! $sessions->destroy_all(); ``` 5. [Log in to add feedback](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fclasses%2Fwp_session_tokens%2F%3Freplytocom%3D4790%23feedback-editor-4790) You must [log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fclasses%2Fwp_session_tokens%2F) before being able to contribute a note or feedback.