I have a session like this $_SESSION['login']
and when it is equal with 1
, it means the use is logged into my website:
if ( $_SESSION['login'] == 1 ) {
// You are logged
} else {
// login/register
}
Also I have another session which contains user's id. Something like this:
echo $_SESSION["Id"];
/* It is containing the user's id (an integer number).
Something like: 234124
*/
Now I want to unset $_SESSION['login']
for the user who has a specific id. For example I want to unset($_SESSION['login'])
for $_SESSION["Id"] = 234124
. How can I do that?
Edit: All I'm trying to do: When an user changes his password, I remove all his cookies from cookies
table to sign him out from all his other devices. Also I want to remove his session.
You've provided helpful details in your comments:
When an user changes his password, I need to logout his account from all other his devices.
Your question is essentially how to implement single login/logout across devices if you're using sessions.
Here is a simple approach:
userID
and lastSeen
in session. lastSeen
holds a timestamp. Save no info in session that the user can change.userID
and lastSeen
in that sessionlastSeen
) because they only hold non-changing data (userID, userName)logout
table with columns userID
requestTime
session_destroy()
and add an entry in logout
table$_SESSION['userID']
exist (means user logged in at some point)lastSeen
within the last 30 minutes (otherwise, call session_destroy()
and request another login)logout
and with requestTime > lastSeen
(means since we last saw the user, she requested to be logged out from another device). If so, session_destroy()
and require another login.Sessions are handled in isolation. When a request arrives, the $_SESSION
data for just that user is loaded in memory. So if userID 5 makes a request, you do not have access to the session data for user 7 (without some hacks).
If you want to unset the current user's session, whoever that user may be, you can do one of the following:
session_destroy(); //clears everything for the current user
unset($_SESSION['login']);// clears just this variable for the current user
If from one user's browsing session, you want to mess with another user: I don't see the use case. Sounds like it would have negative security implications, and it makes me question your greater architecture. It defeats the whole purpose of sessions: to provide each user an isolated, persistent storage locker on the server.
Anyway, to change a random user's session data from another user's browsing activity (again, why?), use a database to save and retrieve values instead. A table could be as simple as:
userID | sessionData | sessionExpires
You could store session data in JSON with json_encode
and retrieve it with json_decode
for any specific user, from any browsing session.
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments