2

We are using PHP and storing session data in memcached. Is there a way to invalidate all sessions by a given user id? The use-case is, when a user changes their password, we log them out, however we should also be invalidating every other session under that user id as well.

Is this possible?

Justin
  • 42,716
  • 77
  • 201
  • 296

1 Answers1

0

I think you would have to add a check on every request to make sure the user context is still valid.

First thought is to have a record in a backend store that contains a timestamp that the user password was updated. When a user logs in you can write a cookie with a timestamp or store it in the session. Upon subsequent requests/checks, as long as the cookie/session date is newer than the password change date it passes. When the password changes the date on the backend record is set to current timestamp and the next check will fail and destroy the user session.

So in this context the actual invalidation wouldn't happen until the next request comes from the old session.

Aaron Webb
  • 67
  • 1
  • 7
  • That is elegant. I was thinking about storing the current session ID and user id in the database, and then just calling `session_id($session_id_to_destroy); session_start(); session_destroy(); session_write_close();` – Justin Jan 20 '15 at 21:25
  • A consideration there is that you could run into sync issues between that and your actual session store. You'll have to keep all the session ids a user has active in that table and make sure you remove them when the user logs out or is invalidated through the normal process. – Aaron Webb Jan 20 '15 at 21:28