How can I unset the session of a specific user?

stack Published at Dev

stack

I have a session like this $_SESSION['login'] and when it is equal with 1, it means the use is logged into my website:

if ( $_SESSION['login'] == 1 ) {
    // You are logged
} else {
    // login/register
}

Also I have another session which contains user's id. Something like this:

echo $_SESSION["Id"]; 
/* It is containing the user's id (an integer number).
   Something like: 234124
*/

Now I want to unset $_SESSION['login'] for the user who has a specific id. For example I want to unset($_SESSION['login']) for $_SESSION["Id"] = 234124. How can I do that?

Edit: All I'm trying to do: When an user changes his password, I remove all his cookies from cookies table to sign him out from all his other devices. Also I want to remove his session.

BeetleJuice

Updated Answer

You've provided helpful details in your comments:

When an user changes his password, I need to logout his account from all other his devices.

Your question is essentially how to implement single login/logout across devices if you're using sessions.

Here is a simple approach:

User logs in, you set userID and lastSeen in session. lastSeen holds a timestamp. Save no info in session that the user can change.
User logs into another device, you set userID and lastSeen in that session
Sessions across devices are always in sync (except for lastSeen) because they only hold non-changing data (userID, userName)
In your DB, have a logout table with columns userID requestTime
If a user logs out, changes her password or does anything else that should require a re-login, call session_destroy() and add an entry in logout table
When user tries to access restricted page, you check:
- Does $_SESSION['userID'] exist (means user logged in at some point)
- Is lastSeen within the last 30 minutes (otherwise, call session_destroy() and request another login)
- Is there a logout request with the user's ID in logout and with requestTime > lastSeen (means since we last saw the user, she requested to be logged out from another device). If so, session_destroy() and require another login.

Original Answer

Sessions are handled in isolation. When a request arrives, the $_SESSION data for just that user is loaded in memory. So if userID 5 makes a request, you do not have access to the session data for user 7 (without some hacks).

If you want to unset the current user's session, whoever that user may be, you can do one of the following:

session_destroy(); //clears everything for the current user
unset($_SESSION['login']);// clears just this variable for the current user

If from one user's browsing session, you want to mess with another user: I don't see the use case. Sounds like it would have negative security implications, and it makes me question your greater architecture. It defeats the whole purpose of sessions: to provide each user an isolated, persistent storage locker on the server.

Anyway, to change a random user's session data from another user's browsing activity (again, why?), use a database to save and retrieve values instead. A table could be as simple as:

userID | sessionData | sessionExpires

You could store session data in JSON with json_encode and retrieve it with json_decode for any specific user, from any browsing session.

Collected from the Internet

Please contact [email protected] to delete if infringement.

edited at2021-04-9

Comments

0 comments

TOP Ranking

Article