Kill All Active Sessions

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

icesolid
Forum Regular
Posts: 502
Joined: Mon May 06, 2002 9:36 pm
Location: Buffalo, NY

Kill All Active Sessions

Post by icesolid »

I was just wondering if there is any PHP code I could use on my site where I could provide a link that if clicked would kill all PHP sessions that are currently active and require all users that are using a active session to relogin?
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Haha, that's a strange request.
I'm pretty sure that you can't do it from a browser... That'd seem senseless.

However (I've never tried this, mind you), I believe that emptying the data in the directory returned from session_save_path() would destroy (or cause ugly bugs in) user sessions.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

It's dangerous to do if you are using file based sessions. If you are using database sessions, it's fairly simple and benign.
icesolid
Forum Regular
Posts: 502
Joined: Mon May 06, 2002 9:36 pm
Location: Buffalo, NY

Post by icesolid »

Well how would I kill all active sessions from outside of a browser?

Also how would I do it using session_save_path();


My save_handler = files and my save_path = /tmp If that helps at all.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Sessions are stored in the save_path.

As for database sessions.. I didn't know we could do that! Do tell feyd! :D:D
icesolid
Forum Regular
Posts: 502
Joined: Mon May 06, 2002 9:36 pm
Location: Buffalo, NY

Post by icesolid »

So how would I delete the sessions in the save path. Just open it up in SSH and delete all?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Is there a reason you want to kill all active sessions at once?
icesolid
Forum Regular
Posts: 502
Joined: Mon May 06, 2002 9:36 pm
Location: Buffalo, NY

Post by icesolid »

Lets say a user is logged in and I want to change their password to something they do not know then boot their session out so they can't get back in. I do not know how to identify their session specifically to kill their session, so I don't mind just killing all sessions and boot them off.

Unless its possible to kill just their session?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

You should seriously consider databasing your sessions. It will make it much easier to manage single users that way.
icesolid
Forum Regular
Posts: 502
Joined: Mon May 06, 2002 9:36 pm
Location: Buffalo, NY

Post by icesolid »

I can do that. But if I database them how would I cancel just their session?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Code: Select all

<?php
$sql = "DELETE FROM `sessions` WHERE `session_id` = '$session_id' AND `user_id` = $user_id";
?>
User avatar
TheMoose
Forum Contributor
Posts: 351
Joined: Tue May 23, 2006 10:42 am

Post by TheMoose »

Everah wrote:

Code: Select all

<?php
$sql = "DELETE FROM `sessions` WHERE `session_id` = '$session_id' AND `user_id` = $user_id";
?>
[nitpick]
You wouldn't know the session id, so you would only be able to delete the session based off the user id
[/nitpick]

;)

If you make your authentication a bit more lively, you wouldn't have to kill all sessions. Instead of sessioning whether they're OK to continue, you could check their account versus an "enabled" or "active" flag for their account in a DB. If it's inactive, don't let them load the page, or redirect, or whatever. This way you don't have to deal with deleting session files/rows.
icesolid
Forum Regular
Posts: 502
Joined: Mon May 06, 2002 9:36 pm
Location: Buffalo, NY

Post by icesolid »

Yeah, thats a really good idea. I should have thought of that myself.

Nice :D
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

feyd wrote:It's dangerous to do if you are using file based sessions. If you are using database sessions, it's fairly simple and benign.
Why do you say that is dangerous?
icesolid
Forum Regular
Posts: 502
Joined: Mon May 06, 2002 9:36 pm
Location: Buffalo, NY

Post by icesolid »

I think just creating a active or inactive indicator is an excellent idea. Much easier also.

I just made a field in my database called 'active', if its true it will allow access and if it is set to false at any time it will immediate destroy the session and log the user off if they try to access any page checking for the 'active' field

I just put the check for 'active' in with the other checks I do for sessions at the top of my pages.

Good idea, recommended!
Post Reply