Page 1 of 2
Kill All Active Sessions
Posted: Tue Jun 05, 2007 8:36 am
by icesolid
I was just wondering if there is any PHP code I could use on my site where I could provide a link that if clicked would kill all PHP sessions that are currently active and require all users that are using a active session to relogin?
Posted: Tue Jun 05, 2007 8:49 am
by superdezign
Haha, that's a strange request.
I'm pretty sure that you can't do it from a browser... That'd seem senseless.
However (I've never tried this, mind you), I believe that emptying the data in the directory returned from
session_save_path() would destroy (or cause ugly bugs in) user sessions.
Posted: Tue Jun 05, 2007 8:57 am
by feyd
It's dangerous to do if you are using file based sessions. If you are using database sessions, it's fairly simple and benign.
Posted: Tue Jun 05, 2007 9:14 am
by icesolid
Well how would I kill all active sessions from outside of a browser?
Also how would I do it using session_save_path();
My save_handler = files and my save_path = /tmp If that helps at all.
Posted: Tue Jun 05, 2007 10:21 am
by superdezign
Sessions are stored in the save_path.
As for database sessions.. I didn't know we could do that! Do tell feyd!

:D
Posted: Tue Jun 05, 2007 10:53 am
by icesolid
So how would I delete the sessions in the save path. Just open it up in SSH and delete all?
Posted: Tue Jun 05, 2007 10:58 am
by RobertGonzalez
Is there a reason you want to kill all active sessions at once?
Posted: Tue Jun 05, 2007 10:59 am
by icesolid
Lets say a user is logged in and I want to change their password to something they do not know then boot their session out so they can't get back in. I do not know how to identify their session specifically to kill their session, so I don't mind just killing all sessions and boot them off.
Unless its possible to kill just their session?
Posted: Tue Jun 05, 2007 11:11 am
by RobertGonzalez
You should seriously consider databasing your sessions. It will make it much easier to manage single users that way.
Posted: Tue Jun 05, 2007 11:35 am
by icesolid
I can do that. But if I database them how would I cancel just their session?
Posted: Tue Jun 05, 2007 12:04 pm
by RobertGonzalez
Code: Select all
<?php
$sql = "DELETE FROM `sessions` WHERE `session_id` = '$session_id' AND `user_id` = $user_id";
?>
Posted: Tue Jun 05, 2007 12:07 pm
by TheMoose
Everah wrote:Code: Select all
<?php
$sql = "DELETE FROM `sessions` WHERE `session_id` = '$session_id' AND `user_id` = $user_id";
?>
[nitpick]
You wouldn't know the session id, so you would only be able to delete the session based off the user id
[/nitpick]
If you make your authentication a bit more lively, you wouldn't have to kill all sessions. Instead of sessioning whether they're OK to continue, you could check their account versus an "enabled" or "active" flag for their account in a DB. If it's inactive, don't let them load the page, or redirect, or whatever. This way you don't have to deal with deleting session files/rows.
Posted: Tue Jun 05, 2007 12:22 pm
by icesolid
Yeah, thats a really good idea. I should have thought of that myself.
Nice

Posted: Tue Jun 05, 2007 12:27 pm
by Ollie Saunders
feyd wrote:It's dangerous to do if you are using file based sessions. If you are using database sessions, it's fairly simple and benign.
Why do you say that is dangerous?
Posted: Tue Jun 05, 2007 12:47 pm
by icesolid
I think just creating a active or inactive indicator is an excellent idea. Much easier also.
I just made a field in my database called 'active', if its true it will allow access and if it is set to false at any time it will immediate destroy the session and log the user off if they try to access any page checking for the 'active' field
I just put the check for 'active' in with the other checks I do for sessions at the top of my pages.
Good idea, recommended!