1. 技术文章
  2. Force user to logout session PHP

Force user to logout session PHP

北战南征 提交于 2019-12-09 16:43:05

问题


I can't seem to find a straightforward answer to this question. Is there a way in which I can force a logged in user to logout? My login system essentially just relies on a session containing the user's unique ID (which is stored in a mysql database). So essentially just...

if (isset($_SESSION['user_id'])) {
echo "You're logged in!";
} else {
echo "You need to login!";
}

But let's say I want to ban this user, well I can change their status to banned in my database but this won't do anything until the user logs out and attempts to log back in... So, how do I force this user to logout? Preferably without checking every single time they view a page whether or not their status has been switched to "banned" because that seems like unnecessary stress on my server. Any help is appreciated, thank you.


回答1:


Either you need to check every time they load a page, or possibly look at an Ajax call at set intervals to check their status from the DB.

Then you can use session_destroy(); to end their session. This will destroy their entire session.

Otherwise you can use unset($_SESSION['user_id']); to unset a single session variable




回答2:


Preferably without checking every single time they view a page whether or not their status has been switched to "banned" because that seems like unnecessary stress on my server.

Loading the user from the database on every page load, rather than storing a copy of the user in the session, is a perfectly reasonable solution. It also prevents the user from getting out of sync with the copy in the database (so that, for instance, you can change a user's properties or permissions without them having to log out and back in).




回答3:


Try to put this on every page...

if (isset($_SESSION['user_id'])) {

    $sql = "SELECT from tbl where status='banned' and user_id=$_SESSION['user_id'] ";
    $query = mysql_query($sql);

    if(!empty(mysql_num_rows($query))){ // found the banned user
       //redirect to logout or
       //session_destroy();
    }

} else {
echo "You need to login!";
}

if the user is still logged in... check if his/her status is banned or not... if banned.. then logout




回答4:


You can unset it.

unset($_SESSION['user_id'])



回答5:


You could use Custom Session Handlers this way you have full control where and how the session data is stored on the server.

So you could store the session data for a particular user in a file called <user_id>.session for example. Then, to logout the user, just delete that file.




回答6:


Ajax calls in an interval will put extra load on server. If you want real-time response to your actions(e.g. the user will be signed out right when you ban them from your system backend), then you should look into something like Server Push.

The idea is to keep a tunnel open from Server to Browser whenever a user is browsing your website, so that you can communicate with them from server-side too. If you want them to be banned, push a logout request and the process that in your page(i.e. force logout by unsetting session).




回答7:


This worked for me am using pHP 5.4 include 'connect.php';

  session_start();
  if(session_destroy())
  {
     header("Location: login.php");
  }



回答8:


You can use session_save_path() to find the path where PHP saves the session files, and then delete them using unlink().

Once you delete the session file stored in the sever, the client side PHPSESSID cookie will no longer be valid for authentication and the user will be automatically be logger out of your application.

Please be very careful while using this approach, if the path in question turns out to be the global /tmp directory! There's bound to be other processes other than PHP storing temporary data there. If PHP has its own directory set aside for session data it should be fairly safe though.




回答9:


There is a few ways to do this the best in my opinion based on security is: NOTE: THIS IS REALLY ROUGH.... I know the syntax is wrong, its just for you to get an idea.

$con = mysql_connect("localhost","sampleuser","samplepass");
if (!$con)
{
$error = "Could not connect to server";
}
mysql_select_db("sampledb", $con);
$result = mysql_query("SELECT * FROM `sampletable` WHERE `username`='".$_SESSION['user_id']."'");
$userdeets = mysql_fetch_array($result);
if($_SESSION['sessionvalue'] != $userdeets['sessionvalue'])
{
session_destroy();
Header('Location: logout.php');
}
else
{
$result2 = mysql_query("UPDATE `sessionvalue` WHERE `username`='".$_SESSION['user_id']."' SET `sessionvalue` = RANDOMVALUE''");
 $sesval = mysql_fetch_array($result2);
$_SESSION['sessionvalue'] = $seshval
}

Now I know thats not the very code but in essence what you need to do to be secure and have this ability is:

  • Everytime a page load check a Session value matches a value in the DB.
  • Every time a page loads set a new session value based on a random generated DB value. you will need to store the username in a session as well.
  • if the Session ID's do not match then you destroy the session and redirect them.
  • if it does match you make the new session ID.

if you want to ban a user you can set their sessionvalue in the DB to a value like "BANNED". this value will not allow them to log in either. this way you can control user through a simple web form and you can also generate list of banned users very easily etc etc. I wish I had more time to explain it I hope this helps.



来源:https://stackoverflow.com/questions/10407555/force-user-to-logout-session-php

标签
php
session
login
logout
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!