Terminating another user's session in PHP

Question

When a user starts my app, I ask for the PHP session id string using session_id(). I store this session ID string in a MySQL table.

The app can have dozens of people logged in at a time, and I need to be able to terminate a user through a program that is used by the admin and that lists all the active users. So far I have not been able to find a function like terminate_session($session_id), but I need to be able to terminate another PHP user's session. Is there an easy way of doing this?

Added following responses: (not screaming)
I do not want to do it myself with the mysql tables. I want to be able to call a php function that terminates another user... Is this possible? I know I can do it myself by integrating it into the app tables and programs. But don't want to do more work on it, I just want to be able to call a php function using the php session_id string provided by the session_id() function and then kill the process. Similar to the linux kill command. Does this exist in php??? Thx

Removing the row from the database destroys the session data, without seeing code, i'm not sure how you're having problems. _Are you using a [custom session handler](http://php.net/manual/en/function.session-set-save-handler.php)?_ — Scuzzy, Apr 18 '18 at 22:18
you could delete the session file based on the id you have, i hvent tried this, but i think it will work just fine. but really if you need this you should do as @Scuzzy suggests — , Apr 18 '18 at 22:21
@Scuzzy It doesn't sound like he's storing the session data in the DB, just remembering the ID. — Barmar, Apr 18 '18 at 22:23
@Barmar yes I agree. What you either need to do, is move your session handling to 100% database with a custom session handler that writes/reads to the database, or use the database table as the trigger to trash the standard disk based session. When the user loads the page, you would query your table for the session ID you've logged, if its not there, call session destroy functions. I moved to databased sessions, and it's so much easier to work with. — Scuzzy, Apr 18 '18 at 22:23
@Andrew as a hint check out http://php.net/manual/en/function.session-set-save-handler.php#118225 — Scuzzy, Apr 18 '18 at 22:31
@Andrew you could create another field where you are storing your session IDs that states if the session has been destroyed. Then just periodically check if the session has been flagged for destruction. Then you can just call the standard "session_destroy()" and it will kill the current session which would be the user you have flagged. — Dylan McGreevy, Apr 18 '18 at 22:38
post, shouty edit: there is no ONE magic function, so you will have to write some code, could be one line could be 100 depends. — , Apr 18 '18 at 23:26

score 0 · Answer 1 · answered Apr 19 '18 at 00:06

There is no built in PHP function for this, but you have a couple of simple approaches.

If you already have the session ID(s) you want to destroy, armed with the session.save_path setting, you can simply delete the session files if you are using file based sessions.

$session_id = 'mslpuu98uf1jumf2ervboioeq6';

$session_file = sprintf(
    '%s%ssess_%s',
    session_save_path(),
    PATH_SEPARATOR, 
    $session_id
);

unlink($session_file);

The session file prefix, sess_ has been hard-coded in PHP for some time.

Alternatively, something like this would work:

foreach ($sessionIdToDelete as $s) {
    $_COOKIE[session_name()] = $s;

    session_start();

    unset($_SESSION);
    session_destroy();

    session_write_close();
}

If this will run from a browser using an active session, make sure to call session_write_close before entering the loop, and preserve the current session_id so you can set it back in the cookie.

Terminating another user's session in PHP

1 Answers1