How can I make destroy session when I change my password?

Question

I am an intermediate in CodeIgniter framework

I am going to develop a new system that having "Admin, Manager, Employee" Roles. I need if admin or manager changes any employee password, the employee session need to destroy and logout from their account.

I didn't have any idea about that. Anyone can help how to do this and for this which type of session save path I have to select?

can you successfully update the employee data? And session destroy process is remaining? — Danish Ali, Mar 26 '18 at 04:52
why is it necessary that the admin edits the employee's password and that the employee has to be immediately logged out? obviously if an employee is logged in they have the right to be there so it doesn't matter if their password is changed - it only matters when they login (or attempt) to login again. this kindof logic requires a lot of overhead - checking if the password is changed whenever the user does something on the site as Karlo points out. If you want to prevent a user from logging in again just make a ban/unban system... — Alex, Mar 26 '18 at 05:55
#alex : once user logout this will work no problem. i need if i have removed one employee i will go to change password or make their status inactive by html. I need if i change above anyone, i need to destroy their session. How is this possible? — Tamilselvan S, Mar 26 '18 at 07:57
Try to create an ajax function that checks changes on password. this iis set on time interval. Then upon changes destroy session and call redirect. — kamote ulalo, Mar 26 '18 at 08:27

Oussama · Answer 1 · 2018-03-26T10:29:46.490

There is a simple solution for that:

1 - Add a field in your users table called "forcelogout" for example, It can be an ENUM with 2 choices 'Y' or 'N' and default value 'N'

ALTER TABLE `users` ADD COLUMN `forcelogout` ENUM('Y','N') NOT NULL DEFAULT 'N' COMMENT 'Y: force user to logout, N: nothing to do'

2 - When updating the user password, update that field value to 'N'

3 - In you parent controller (application/core/MY_Controller.php), check "forcelogout" value and logout user if it's 'Y'. Then update the value to 'N' to avoid loop

public function __construct()
{
    $this->do_we_need_to_logout_user();
}

private function do_we_need_to_logout_user(){
    $this->load->model('users_model');
    $user = $this->users_model->get_user($this->session->user_id);
    if ( $user[0]->forcelogout == 'Y' ){
        $user_id = $this->session->user_id;
        $this->session->sess_destroy();
        $user = array();
        $user['forcelogout'] = 'N';
        $this->users_model->update_user($user_id, $user);
        redirect('/login');
    }
}

Karlo Kokkak · Answer 2 · 2018-03-26T05:10:43.747

0

Admin, manager side : They change employee password.

In Employee side : Each time you retrieve employee data, check if password status is changed. If so, then destroy session for the employee.

On successful login again, set password status to null or something.

edited Mar 26 '18 at 05:10

answered Mar 26 '18 at 04:58

Karlo Kokkak

3,674
4
18
33

that sounds like alot of overhead – Alex Mar 26 '18 at 05:52
I think is this a best way. But can we do it by db based session by using key blaa blaa,.??? – Tamilselvan S Mar 26 '18 at 07:58

How can I make destroy session when I change my password?

2 Answers2