Destroy specific session in PHP

Question

Destroy specific session in PHP

Asked 5 years, 2 months ago

Viewed 233 times

0

I am building a login system with Sessions in PHP, it will have an administrative part that shows all users logged in to the system. My question is... How can I only deploy a specific user who is currently logged in ?

Do you have anything started? How will sessions work? identifiers? improve your question, read https://answall.com/help/how-to-ask

– ElvisP

2019/04/22 at 11:10
Do you want to destroy another user’s session on another pc? That’s it?

– Filipe L. Constante

2019/04/22 at 11:13
That would be to destroy the user session that is logged in on another pc

– Eduardo G.

2019/04/22 at 11:15

1 answer

Browser other questions tagged php login

You are not signed in. Login or sign up in order to post.

by Guilherme Nascimento • **98,651** points · Answer 1 · 2019-04-22T12:10:09+00:00

A simple idea would be at the time user authenticate you would save the value of session_id() in some file or table of LOGONS, and in the user "administrator" you would have a page that would receive the value of the ID in something like:

killusersession.php

<?php
if (empty($_GET['session'])) {
    session_id($_GET['session']);
    session_start();

    $_SESSION['logoff'] = true;

    session_write_close(); //Fecha imediatamente o arquivo
}

So the user pages would have something like:

<?php
session_id();
session_start();

if (!empty($_SESSION['session']['logoff'])) {
     header('Location: /login.php');
     exit;
}

That is, the value $_SESSION['session']['logoff'] would be like a flag to inform that it can no longer access, so in a new user login just remove this value.

It’s a rather superficial explanation because I really don’t know your code.

Notes:

I did not recommend using session_destroy() because it can cause unexpected results, it can cause race condition, that is to generate new Ids (back-end/tmp sessions) while other requests such as images, ajax, etc are running at the same time, this would be quite complicated to adjust.

PHP sessions can cause time-consuming requests to block, so I forced session_write_close, but the problem would also be if the logged-in user is doing something that takes the time, which would killusersession.php take a while, as I explained in: /a/57827/3635

You could also create a file as a flag, to inform which users should be deleted, this not based on the session, but on the ID, this flag would be evaluated on the user system and then removed, to avoid that on a next logon it would logoff again, but this is too broad to suggest here, it depends a lot on what you already have ready.