Geek Answers Handbook

Yii2 remote logout of a user session from the current user session

I wanted to log out of a user session registered in another browser / environment from the current session of the same user. A similar feature is https://www.facebook.com/settings?tab=security§ion=sessions&view .

Yii2 is the underlying underlying infrastructure. Using redis for session management - yii2-redis . I also save session identifiers stored in the database.

I followed this article - http://www.codeinphp.com/general/php-code-snippets/remotely-destroy-different-session-php-forced-user-signout/

But there was no success.

session_id($old_session_id); session_start(); // This line throws error. session_destroy();

Removing the key during reuse with \Yii::$app->session->destroySession($oldSessionId) did not \Yii::$app->session->destroySession($oldSessionId) out.

Changing the session identifier to the old one and then destroying the session also did not help.

 $currentSessionId = \Yii::$app->session->getId(); \Yii::$app->session->setId($oldSessionId); \Yii::$app->getSession()->destroy(); \Yii::$app->session->setId($currentSessionId);

If someone has successfully implemented this, please share your decision. Also, if there is any documentation that might help, please provide.

+5
source share
2 answers

First, session_start() should be called before session_id() and just call only once

 if (session_status() == PHP_SESSION_NONE) { session_start(); } session_id($old_session_id); session_destroy();

But just delete the session, which is not enough if you allow the user to automatically log in, because the browser automatically enters the password using cookies. To solve, you must change the AuthKey user - Yii2 to use AuthKey to verify the user's automatic login. By default, each user has only one AuthKey table in the user table, so when you change the user's AuthKey anywhere. Therefore, we must tune. For each user session, AuthKey that is stored somewhere outside the user table. Do it easily: extends the yii \ web \ User class overrides the afterLogin function to create an AuthKey for each login session. override the validateAuthKey function to check for automatic login using our custom AuthKey . Now that you want to kill any user session: kill the PHP session identifier and AuthKey , this session will be immediately deleted. I use this solution for my projects and it works great.

+3
source

Based on Ngo's answer, I figured out a method that works well and is easier to configure.

1) Add the "last_session_id" field to the user table.

2) Add the following to the main controller:

 public function afterAction($action, $result) { $result = parent::afterAction($action, $result); if(Yii::$app->user->id) { //update the user table with last_session_id $user = User::find()->where(['id' => Yii::$app->user->id])->one(); $user->last_session_id = Yii::$app->session->id; $user->save(false); } return $result; }

3) Change the site / login action as follows:

 public function actionLogin() { if (!\Yii::$app->user->isGuest) { return $this->goHome(); } $model = new LoginForm(); if ($model->load(Yii::$app->request->post()) && $model->login()) { //delete previous session ID and change auth key Yii::$app->session->destroySession(Yii::$app->user->identity->last_session_id); $u = \common\models\User::find()->where(['id' => Yii::$app->user->id])->one(); $u->auth_key = Yii::$app->security->generateRandomString(); $u->save(false); return $this->goBack(); } else { return $this->render('/site/login', [ 'model' => $model, ]); } }
+1
source

More articles:


All Articles