Geek Answers Handbook

Force user to exit PHP session

I can not find a direct answer to this question. Is there any way I can get a registered user to log out? My login system, in fact, relies only on a session containing a unique user ID (which is stored in the mysql database). Essentially, just ...

if (isset($_SESSION['user_id'])) { echo "You're logged in!"; } else { echo "You need to login!"; }

But let me say that I want to ban this user, so I can change my status to a ban in my database, but it will not do anything until the user logs out and tries to log in ... So, how do I get this user log out? Preferably, without checking every time that they are viewing the page, regardless of whether the status is switched to β€œban”, because this seems like unnecessary stress on my server. Any help is appreciated, thanks.

+7
source share
9 answers

Either you need to check every time they load the page, or perhaps look at the Ajax call at given intervals to check their status from the database.

Then you can use session_destroy(); to end your session. This will destroy their entire session.

Otherwise, you can use unset($_SESSION['user_id']); to cancel one session variable

+6
source

Preferably, without checking every time that they are viewing the page, regardless of whether the status is switched to β€œban”, because this seems like unnecessary stress on my server.

Downloading a user from the database each time the page is loaded, rather than saving a copy of the user in the session, is a reasonable decision. It also prevents the user from synchronizing with a copy in the database (for example, you can change user properties or permissions without logging out and back).

+5
source

You can disable it.

 unset($_SESSION['user_id'])
0
source

You can use Custom Hand Handlers so that you have full control over where and how session data is stored on the server.

This way you can save session data for a specific user in a file named <user_id>.session , for example. Then, to log out, simply delete this file.

0
source

Ajax calls at intervals will add extra load to the server. If you want your actions to respond in real time (for example, the user will be discharged immediately when you disable them from the backend of your system), then you should learn something like Server Push .

The idea is to have the tunnel open from the server to the browser when a user browses your site so that you can communicate with them from the server side. If you want them to be banned, click on the exit request and the process that is on your page (i.e. log out by disconnecting the session).

0
source

Try putting this on every page ...

 if (isset($_SESSION['user_id'])) { $sql = "SELECT from tbl where status='banned' and user_id=$_SESSION['user_id'] "; $query = mysql_query($sql); if(!empty(mysql_num_rows($query))){ // found the banned user //redirect to logout or //session_destroy(); } } else { echo "You need to login!"; }

if the user is still registered ... check if his status is forbidden or not ... if it is denied .. then log out

0
source

This worked for me using pHP 5.4 include 'connect.php';

  session_start(); if(session_destroy()) { header("Location: login.php"); }
0
source

You can use session_save_path() to find the path where PHP saves the session files, and then delete them using unlink() .

After deleting the session file stored in the section, the client side of the PHPSESSID cookie will no longer be valid for authentication, and the user will automatically exit your application.

Be careful when using this approach if the path in question is a global / tmp directory! There should be other processes besides PHP, where temporary data is stored. If PHP has its own directory reserved for session data, it should be fairly safe.

0
source

There are several ways to do this best, in my opinion, based on security: NOTE: THIS REALLY CONTINUES .... I know that the syntax is wrong, it's just for you to get an idea.

 $con = mysql_connect("localhost","sampleuser","samplepass"); if (!$con) { $error = "Could not connect to server"; } mysql_select_db("sampledb", $con); $result = mysql_query("SELECT * FROM `sampletable` WHERE `username`='".$_SESSION['user_id']."'"); $userdeets = mysql_fetch_array($result); if($_SESSION['sessionvalue'] != $userdeets['sessionvalue']) { session_destroy(); Header('Location: logout.php'); } else { $result2 = mysql_query("UPDATE `sessionvalue` WHERE `username`='".$_SESSION['user_id']."' SET `sessionvalue` = RANDOMVALUE''"); $sesval = mysql_fetch_array($result2); $_SESSION['sessionvalue'] = $seshval }

Now I know that this is not the code, but essentially what you need to do to be safe and have this ability:

  • Each time a page load checks the session value, it corresponds to the value in the database.
  • Each time a page load sets a new session value based on a randomly generated DB value. You will also need to save the username in the session.
  • If the session ID does not match, you destroy the session and redirect it.
  • if it matches your new session id.

if you want to deny the user, you can set the value of sessionvalue in the database to a value similar to "BANNED". this value will not allow them to log in. that way, you can control the user through a simple web form, and you can also easily generate a list of banned users, etc. etc. I wish I had more time to explain this. I hope this helps.

-one
source

More articles:


All Articles