4

I have the following problem:

  1. User X login in PC1, with session_id 1000. Leaves but forgot logout.
  2. User X login in PC2, with session_id 1001.
  3. Before session 1000 timeout, user Y get access in PC1 as user X, with session_id 1000.

In this way, two users get access as the same user, in different PCs, and different session ids. What I wanna do is store the new session_id each time a user login (done), and delete the previously stored session_id. But I don't know how to delete or modify a session file given the id, without changing the current session.

I mean, I wanna do the following:

  1. User X login in PC1, with session_id 1000. Script stores 1000 as last_session_id. Leaves but forgot logout.
  2. Same user login in PC2, with session_id 10001. Script get last_session_id (1000) and delete that session info; then stores 1001 as the new last_session_id.
  3. User Y goes to PC1, with session_id 1000, but can't get access as X because the info was deleted.

Can *session_id(old_session)* work properly? Or that function just rename the current session id, but mantain the values?

Thanks in advance.

ESL
  • 986
  • 11
  • 18
  • how about login systems? i mean, directly relationships between user and session_id (ex: auth table databases) – Somy A Nov 19 '12 at 02:37
  • I try to avoid read the table every page load to test if it is the current session id. If I delete it at login, there is no need to test it later. – ESL Nov 19 '12 at 14:50
  • but, how to define which session_id (related a user) to destroy? if no correlation between user and session_id. – Somy A Nov 19 '12 at 16:53
  • When the user logins the script saves login time, user id and data, and a hash (with ip, browser, etc.) as session vars, and the new session id in the table. Before overwrite the session id, it takes the previous id. The idea (and I don't know how) is delete always the previous. So every time the user logins, the detruction of the previous session works as a logout without the need to query database every time (just take values from session). **I DON'T NEED ANOTHER SOLUTION**, I need to know how delete a session given a id as the title says. Thanks. – ESL Nov 20 '12 at 04:57
  • 1
    If I get you right, this answers your question. http://stackoverflow.com/questions/5443355/remotely-destroy-a-session-in-php-user-logs-in-somewhere-else – Sirkong Mar 10 '14 at 20:39
  • @Sirkong I think it is what I need. A year and halg later, but still… – ESL May 15 '14 at 02:04

2 Answers2

6

I found this

$session_id_to_destroy = $sessionid;
// 1. commit session if it's started.
if (session_id()) {
    session_commit();
}

// 2. store current session id
session_start();
$current_session_id = session_id();
session_commit();

// 3. hijack then destroy session specified.
session_id($session_id_to_destroy);
session_start();
session_destroy();
session_commit();

// 4. restore current session id. If don't restore it, your current session will refer to the session you just destroyed!
session_id($current_session_id);
session_start();
session_commit();

It worked perfectly for me.

Brenex
  • 111
  • 1
  • 5
  • 2
    Answer is credited to the user Jack Luo on this [post](http://php.net/manual/en/function.session-destroy.php#114709) at php.net. – Zuul Oct 25 '17 at 19:17
  • 1
    Thank you @Zuul for pointing that out. I definitely should have given credit. – Brenex Jan 12 '18 at 23:31
0

From my experience, I use one table to store data related to the session. The table contains two or more fields of userID, lastSessionID. On your system just need to get the sessionId and userID then compare it to the last sessionID stored in the db refers to the same userID. If U get the same sessionID than continue but if different redirect page to logout. But, to use this method, you should keep a userID and sessionId into the db every time user login.

errorare
  • 178
  • 1
  • 1
  • 15
  • I try to avoid read the table every page load to test if it is the current session id. If I delete it at login, there is no need to test it later. – ESL Nov 19 '12 at 14:50
  • Just by reading the database every time page load than you can get the latest sessionId for a particular user. Only 1 sessionId for 1 user in the db. – errorare Nov 20 '12 at 00:56
  • I'm trying to avoid repeated databases reads. The PHP's sessions system allows to have multiple sessions pointing to the same webpage user (the same user Id). I don't need to read the database to known the session id. When page loads, loads $_SESSION['uid']. But if the user does not logouts, another user, with the previous session, can have the previous $_SESSION['uids'] and the script does not know if this is the last. So I try to delete the old. – ESL Nov 20 '12 at 04:52
  • Did you mean session_destroy();. session_destroy will completely destroy all the session that you use before. After destroy, you can assign the new session for new user. – errorare Nov 20 '12 at 06:40
  • I tried to use session_destroy(), but destroyed the current session, not the last one. – ESL Jan 16 '13 at 06:06