Force user to logout session PHP

Question

I can't seem to find a straightforward answer to this question. Is there a way in which I can force a logged in user to logout? My login system essentially just relies on a session containing the user's unique ID (which is stored in a mysql database). So essentially just...

if (isset($_SESSION['user_id'])) {
echo "You're logged in!";
} else {
echo "You need to login!";
}

But let's say I want to ban this user, well I can change their status to banned in my database but this won't do anything until the user logs out and attempts to log back in... So, how do I force this user to logout? Preferably without checking every single time they view a page whether or not their status has been switched to "banned" because that seems like unnecessary stress on my server. Any help is appreciated, thank you.

Answer 1

Either you need to check every time they load a page, or possibly look at an Ajax call at set intervals to check their status from the DB.

Then you can use session_destroy(); to end their session. This will destroy their entire session.

Otherwise you can use unset($_SESSION['user_id']); to unset a single session variable

Answer 2

Preferably without checking every single time they view a page whether or not their status has been switched to "banned" because that seems like unnecessary stress on my server.

Loading the user from the database on every page load, rather than storing a copy of the user in the session, is a perfectly reasonable solution. It also prevents the user from getting out of sync with the copy in the database (so that, for instance, you can change a user's properties or permissions without them having to log out and back in).

Answer 3

Try to put this on every page...

if (isset($_SESSION['user_id'])) {

    $sql = "SELECT from tbl where status='banned' and user_id=$_SESSION['user_id'] ";
    $query = mysql_query($sql);

    if(!empty(mysql_num_rows($query))){ // found the banned user
       //redirect to logout or
       //session_destroy();
    }

} else {
echo "You need to login!";
}

if the user is still logged in... check if his/her status is banned or not... if banned.. then logout

Answer 4

你可以取消它。

unset($_SESSION['user_id'])

Answer 5

You could use Custom Session Handlers this way you have full control where and how the session data is stored on the server.

So you could store the session data for a particular user in a file called <user_id>.session for example. Then, to logout the user, just delete that file.

Answer 6

Ajax calls in an interval will put extra load on server. If you want real-time response to your actions(eg the user will be signed out right when you ban them from your system backend), then you should look into something like Server Push .

The idea is to keep a tunnel open from Server to Browser whenever a user is browsing your website, so that you can communicate with them from server-side too. If you want them to be banned, push a logout request and the process that in your page(ie force logout by unsetting session).

Answer 7

This worked for me am using pHP 5.4 include 'connect.php';

  session_start();
  if(session_destroy())
  {
     header("Location: login.php");
  }

Answer 8

You can use session_save_path() to find the path where PHP saves the session files, and then delete them using unlink() .

Once you delete the session file stored in the sever, the client side PHPSESSID cookie will no longer be valid for authentication and the user will be automatically be logger out of your application.

Please be very careful while using this approach, if the path in question turns out to be the global /tmp directory! There's bound to be other processes other than PHP storing temporary data there. If PHP has its own directory set aside for session data it should be fairly safe though.

Answer 9

There is a few ways to do this the best in my opinion based on security is: NOTE: THIS IS REALLY ROUGH.... I know the syntax is wrong, its just for you to get an idea.

$con = mysql_connect("localhost","sampleuser","samplepass");
if (!$con)
{
$error = "Could not connect to server";
}
mysql_select_db("sampledb", $con);
$result = mysql_query("SELECT * FROM `sampletable` WHERE `username`='".$_SESSION['user_id']."'");
$userdeets = mysql_fetch_array($result);
if($_SESSION['sessionvalue'] != $userdeets['sessionvalue'])
{
session_destroy();
Header('Location: logout.php');
}
else
{
$result2 = mysql_query("UPDATE `sessionvalue` WHERE `username`='".$_SESSION['user_id']."' SET `sessionvalue` = RANDOMVALUE''");
 $sesval = mysql_fetch_array($result2);
$_SESSION['sessionvalue'] = $seshval
}

Now I know thats not the very code but in essence what you need to do to be secure and have this ability is:

• Everytime a page load check a Session value matches a value in the DB.
• Every time a page loads set a new session value based on a random generated DB value. you will need to store the username in a session as well.
• if the Session ID's do not match then you destroy the session and redirect them.
• if it does match you make the new session ID.

if you want to ban a user you can set their sessionvalue in the DB to a value like "BANNED". this value will not allow them to log in either. this way you can control user through a simple web form and you can also generate list of banned users very easily etc etc. I wish I had more time to explain it I hope this helps.