Title: WP_User_Meta_Session_Tokens
Published: September 4, 2014
Last modified: May 20, 2026

---

# class WP_User_Meta_Session_Tokens {}

## In this article

 * [Description](https://developer.wordpress.org/reference/classes/wp_user_meta_session_tokens/?output_format=md#description)
    - [See also](https://developer.wordpress.org/reference/classes/wp_user_meta_session_tokens/?output_format=md#see-also)
 * [Methods](https://developer.wordpress.org/reference/classes/wp_user_meta_session_tokens/?output_format=md#methods)
 * [Source](https://developer.wordpress.org/reference/classes/wp_user_meta_session_tokens/?output_format=md#source)
 * [Related](https://developer.wordpress.org/reference/classes/wp_user_meta_session_tokens/?output_format=md#related)
 * [Changelog](https://developer.wordpress.org/reference/classes/wp_user_meta_session_tokens/?output_format=md#changelog)

[ Back to top](https://developer.wordpress.org/reference/classes/wp_user_meta_session_tokens/?output_format=md#wp--skip-link--target)

Meta-based user sessions token manager.

## 󠀁[Description](https://developer.wordpress.org/reference/classes/wp_user_meta_session_tokens/?output_format=md#description)󠁿

### 󠀁[See also](https://developer.wordpress.org/reference/classes/wp_user_meta_session_tokens/?output_format=md#see-also)󠁿

 * [WP_Session_Tokens](https://developer.wordpress.org/reference/classes/wp_session_tokens/)

## 󠀁[Methods](https://developer.wordpress.org/reference/classes/wp_user_meta_session_tokens/?output_format=md#methods)󠁿

| Name | Description | 
| [WP_User_Meta_Session_Tokens::destroy_all_sessions](https://developer.wordpress.org/reference/classes/wp_user_meta_session_tokens/destroy_all_sessions/) | Destroys all session tokens for the user. | 
| [WP_User_Meta_Session_Tokens::destroy_other_sessions](https://developer.wordpress.org/reference/classes/wp_user_meta_session_tokens/destroy_other_sessions/) | Destroys all sessions for this user, except the single session with the given verifier. | 
| [WP_User_Meta_Session_Tokens::drop_sessions](https://developer.wordpress.org/reference/classes/wp_user_meta_session_tokens/drop_sessions/) | Destroys all sessions for all users. | 
| [WP_User_Meta_Session_Tokens::get_session](https://developer.wordpress.org/reference/classes/wp_user_meta_session_tokens/get_session/) | Retrieves a session based on its verifier (token hash). | 
| [WP_User_Meta_Session_Tokens::get_sessions](https://developer.wordpress.org/reference/classes/wp_user_meta_session_tokens/get_sessions/) | Retrieves all sessions of the user. | 
| [WP_User_Meta_Session_Tokens::prepare_session](https://developer.wordpress.org/reference/classes/wp_user_meta_session_tokens/prepare_session/) | Converts an expiration to an array of session information. | 
| [WP_User_Meta_Session_Tokens::update_session](https://developer.wordpress.org/reference/classes/wp_user_meta_session_tokens/update_session/) | Updates a session based on its verifier (token hash). | 
| [WP_User_Meta_Session_Tokens::update_sessions](https://developer.wordpress.org/reference/classes/wp_user_meta_session_tokens/update_sessions/) | Updates the user’s sessions in the usermeta table. |

## 󠀁[Source](https://developer.wordpress.org/reference/classes/wp_user_meta_session_tokens/?output_format=md#source)󠁿

    ```php
    class WP_User_Meta_Session_Tokens extends WP_Session_Tokens {

    	/**
    	 * Retrieves all sessions of the user.
    	 *
    	 * @since 4.0.0
    	 *
    	 * @return array Sessions of the user.
    	 */
    	protected function get_sessions() {
    		$sessions = get_user_meta( $this->user_id, 'session_tokens', true );

    		if ( ! is_array( $sessions ) ) {
    			return array();
    		}

    		$sessions = array_map( array( $this, 'prepare_session' ), $sessions );
    		return array_filter( $sessions, array( $this, 'is_still_valid' ) );
    	}

    	/**
    	 * Converts an expiration to an array of session information.
    	 *
    	 * @since 4.0.0
    	 *
    	 * @param mixed $session Session or expiration.
    	 * @return array Session.
    	 */
    	protected function prepare_session( $session ) {
    		if ( is_int( $session ) ) {
    			return array( 'expiration' => $session );
    		}

    		return $session;
    	}

    	/**
    	 * Retrieves a session based on its verifier (token hash).
    	 *
    	 * @since 4.0.0
    	 *
    	 * @param string $verifier Verifier for the session to retrieve.
    	 * @return array|null The session, or null if it does not exist
    	 */
    	protected function get_session( $verifier ) {
    		$sessions = $this->get_sessions();
    		return $sessions[ $verifier ] ?? null;
    	}

    	/**
    	 * Updates a session based on its verifier (token hash).
    	 *
    	 * @since 4.0.0
    	 *
    	 * @param string $verifier Verifier for the session to update.
    	 * @param array  $session  Optional. Session. Omitting this argument destroys the session.
    	 */
    	protected function update_session( $verifier, $session = null ) {
    		$sessions = $this->get_sessions();

    		if ( $session ) {
    			$sessions[ $verifier ] = $session;
    		} else {
    			unset( $sessions[ $verifier ] );
    		}

    		$this->update_sessions( $sessions );
    	}

    	/**
    	 * Updates the user's sessions in the usermeta table.
    	 *
    	 * @since 4.0.0
    	 *
    	 * @param array $sessions Sessions.
    	 */
    	protected function update_sessions( $sessions ) {
    		if ( $sessions ) {
    			update_user_meta( $this->user_id, 'session_tokens', $sessions );
    		} else {
    			delete_user_meta( $this->user_id, 'session_tokens' );
    		}
    	}

    	/**
    	 * Destroys all sessions for this user, except the single session with the given verifier.
    	 *
    	 * @since 4.0.0
    	 *
    	 * @param string $verifier Verifier of the session to keep.
    	 */
    	protected function destroy_other_sessions( $verifier ) {
    		$session = $this->get_session( $verifier );
    		$this->update_sessions( array( $verifier => $session ) );
    	}

    	/**
    	 * Destroys all session tokens for the user.
    	 *
    	 * @since 4.0.0
    	 */
    	protected function destroy_all_sessions() {
    		$this->update_sessions( array() );
    	}

    	/**
    	 * Destroys all sessions for all users.
    	 *
    	 * @since 4.0.0
    	 */
    	public static function drop_sessions() {
    		delete_metadata( 'user', 0, 'session_tokens', false, true );
    	}
    }
    ```

[View all references](https://developer.wordpress.org/reference/files/wp-includes/class-wp-user-meta-session-tokens.php/)
[View on Trac](https://core.trac.wordpress.org/browser/tags/7.0/src/wp-includes/class-wp-user-meta-session-tokens.php#L17)
[View on GitHub](https://github.com/WordPress/wordpress-develop/blob/7.0/src/wp-includes/class-wp-user-meta-session-tokens.php#L17-L130)

## 󠀁[Related](https://developer.wordpress.org/reference/classes/wp_user_meta_session_tokens/?output_format=md#related)󠁿

| Uses | Description | 
| [WP_Session_Tokens](https://developer.wordpress.org/reference/classes/wp_session_tokens/)`wp-includes/class-wp-session-tokens.php` |

Abstract class for managing user session tokens.

  |

## 󠀁[Changelog](https://developer.wordpress.org/reference/classes/wp_user_meta_session_tokens/?output_format=md#changelog)󠁿

| Version | Description | 
| [4.0.0](https://developer.wordpress.org/reference/since/4.0.0/) | Introduced. |

## User Contributed Notes

You must [log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fclasses%2Fwp_user_meta_session_tokens%2F)
before being able to contribute a note or feedback.