stack stack - 4 months ago 9
PHP Question

How can I unset the session of a specific user?

I have a session like this

$_SESSION['login']
and when it is equal with
1
, it means the use is logged into my website:

if ( $_SESSION['login'] == 1 ) {
// You are logged
} else {
// login/register
}


Also I have another session which contains user's id. Something like this:

echo $_SESSION["Id"];
/* It is containing the user's id (an integer number).
Something like: 234124
*/


Now I want to unset
$_SESSION['login']
for the user who has a specific id. For example I want to
unset($_SESSION['login'])
for
$_SESSION["Id"] = 234124
. How can I do that?




Edit: All I'm trying to do: When an user changes his password, I remove all his cookies from
cookies
table to sign him out from all his other devices. Also I want to remove his session.

Answer

Updated Answer

You've provided helpful details in your comments:

When an user changes his password, I need to logout his account from all other his devices.

Your question is essentially how to implement single login/logout across devices if you're using sessions.

Here is a simple approach:

  1. User logs in, you set userID and lastSeen in session. lastSeen holds a timestamp. Save no info in session that the user can change.
  2. User logs into another device, you set userID and lastSeen in that session
  3. Sessions across devices are always in sync (except for lastSeen) because they only hold non-changing data (userID, userName)
  4. In your DB, have a logout table with columns userID requestTime
  5. If a user logs out, changes her password or does anything else that should require a re-login, call session_destroy() and add an entry in logout table
  6. When user tries to access restricted page, you check:
    • Does $_SESSION['userID'] exists (means user logged in at some point)
    • Is lastSeen within the last 30-60 minutes (otherwise, call session_destroy() and request another login)
    • Is there a logout request with the user's ID in logout and with requestTime > lastSeen (means since we last saw the user, she requested to be logged out from another device). If so, session_destroy() and require another login.

Original Answer

Sessions are handled in isolation. When a request arrives, the $_SESSION data for just that user is loaded in memory. So if userID 5 makes a request, you do not have access to the session data for user 7 (without some hacks).

If you want to unset the current user's session, whoever that user may be, you can do one of the following:

session_destroy(); //clears everything for the current user
unset($_SESSION['login']);// clears just this variable for the current user

If from one user's browsing session, you want to mess with another user: I don't see the use case. Sounds like it would have negative security implications, and it makes me question your greater architecture. It defeats the whole purpose of sessions: to provide each user an isolated, persistent storage locker on the server.

Anyway, to change a random user's session data from another user's browsing activity (again, why?), use a database to save and retrieve values instead. A table could be as simple as:

userID | sessionData | sessionExpires

You could store session data in JSON with json_encode and retrieve it with json_decode for any specific user, from any browsing session.