Kill All Active Sessions
Moderator: General Moderators
Kill All Active Sessions
I was just wondering if there is any PHP code I could use on my site where I could provide a link that if clicked would kill all PHP sessions that are currently active and require all users that are using a active session to relogin?
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
Haha, that's a strange request.
I'm pretty sure that you can't do it from a browser... That'd seem senseless.
However (I've never tried this, mind you), I believe that emptying the data in the directory returned from session_save_path() would destroy (or cause ugly bugs in) user sessions.
I'm pretty sure that you can't do it from a browser... That'd seem senseless.
However (I've never tried this, mind you), I believe that emptying the data in the directory returned from session_save_path() would destroy (or cause ugly bugs in) user sessions.
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Lets say a user is logged in and I want to change their password to something they do not know then boot their session out so they can't get back in. I do not know how to identify their session specifically to kill their session, so I don't mind just killing all sessions and boot them off.
Unless its possible to kill just their session?
Unless its possible to kill just their session?
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Code: Select all
<?php
$sql = "DELETE FROM `sessions` WHERE `session_id` = '$session_id' AND `user_id` = $user_id";
?>[nitpick]Everah wrote:Code: Select all
<?php $sql = "DELETE FROM `sessions` WHERE `session_id` = '$session_id' AND `user_id` = $user_id"; ?>
You wouldn't know the session id, so you would only be able to delete the session based off the user id
[/nitpick]
If you make your authentication a bit more lively, you wouldn't have to kill all sessions. Instead of sessioning whether they're OK to continue, you could check their account versus an "enabled" or "active" flag for their account in a DB. If it's inactive, don't let them load the page, or redirect, or whatever. This way you don't have to deal with deleting session files/rows.
- Ollie Saunders
- DevNet Master
- Posts: 3179
- Joined: Tue May 24, 2005 6:01 pm
- Location: UK
I think just creating a active or inactive indicator is an excellent idea. Much easier also.
I just made a field in my database called 'active', if its true it will allow access and if it is set to false at any time it will immediate destroy the session and log the user off if they try to access any page checking for the 'active' field
I just put the check for 'active' in with the other checks I do for sessions at the top of my pages.
Good idea, recommended!
I just made a field in my database called 'active', if its true it will allow access and if it is set to false at any time it will immediate destroy the session and log the user off if they try to access any page checking for the 'active' field
I just put the check for 'active' in with the other checks I do for sessions at the top of my pages.
Good idea, recommended!