22

Hey, I'm trying to get my php website to basically "log out" (session_destroy()) when the same user logs in somewhere else. Is there a way to do this? To remotely destroy a specific session?

Thank guys!

Scott

twistedpixel
  • 1,212
  • 4
  • 14
  • 33

6 Answers6

29

It's certainly possible, using session_id. When the user logs in somewhere else, you can do this step before starting a new session for the new login:

// The hard part: find out what $old_session_id is

session_id($old_session_id);
session_start();
session_destroy();

// Now proceed to create a new session for the new login

This will destroy the old session on the server side, so when the other computer accesses your application again it will try to access a non-existent session and a new one will be created for it (in which the user is not logged in anymore).

The hard part is finding out what is the ID of the "old" session. There's no one-size-fits-all way of doing that; you need to have some mechanism in place to be able to tell that the session with id XXX belongs to the same user who is logging in now. If you are using database sessions this should be easy enough.

Jon
  • 428,835
  • 81
  • 738
  • 806
  • 2
    To be honest, I think I'm going to use this one! I think maybe what I'll do is on logging-in, store the session in the user's row in the database. Then check if that's set when logging in, if so, destroy that session using the code you've suggested and replace the session id in the database with the new one. Thanks for your help! – twistedpixel Mar 26 '11 at 15:49
  • 4
    @dieselpower44: That could work. But be careful: if a session for user A expires without the user having explicitly logged out, the row in the database will contain the old session id (you won't get the chance to remove it). That session id might be reused in the future by user B, so you might end up logging user B out when user A logs in again. Not very likely, but be aware that this is not a foolproof approach. – Jon Mar 26 '11 at 15:57
  • 1
    Downvoter: Please help me improve this answer if you find it deficient. Thank you. – Jon Mar 26 '11 at 15:59
  • 2
    I was thinking maybe to counter this problem you've mentioned, add an extra field in each user row in the DB for the UNIX time they logged in and add that as a session variable too. When logging in, check both session id and UNIX time, if either differ, session_destroy(); Thanks for your help :) – twistedpixel Mar 26 '11 at 16:23
  • @dieselpower44: Sounds like a plan. – Jon Mar 26 '11 at 16:24
  • 1
    Little late but this is fullproof solution - http://php.net/manual/en/function.session-destroy.php#114709 – zookastos Feb 23 '17 at 18:59
  • any idea how to do this in NodeJS? – tnkh Jul 11 '19 at 06:42
3

It's not necessary to create your own session handlers.

Simply store the session ID with the username in the database upon login.

Every time the user fetches a page, compare that user's session ID with the stored session ID.

If the session IDs don't match, it means the user has logged in somewhere else, and you should self-destruct.

awm
  • 6,526
  • 25
  • 24
  • This is even better than my idea after Jon's suggestion! Thank you both! – twistedpixel Mar 26 '11 at 15:51
  • This need to perform a query every time a page is loaded. @Jon only checks on login. – ESL May 15 '14 at 02:03
  • @ESL Which may well be advantageous. It will allow a 'force logout' for remote sessions to check on each page request. Only checking on login would allow the remote session to carry on as normal until next logged out. – MacroMan Jun 06 '17 at 10:13
1

I can imagine you could do this by using your own session handling. If you store you sessions in database, you could delete them from other app, if you needed to. You would identify the user by user name or something like that.

Tomáš Plešek
  • 1,482
  • 2
  • 12
  • 21
0

I would like to suggest that what we can do is, get the time and add some addtional value (like manu1234567) and store in database when user log's in . add that in session also. now on each page compare both , and if that is equal then proceed , else forward to another page or give some msg .

now other part when ever another user will login with same username and password, database will update and for first person there will be error msg "some one logged in from some where else."

Note : time will always different . so there will be very very less chances that two values will be same.

Guillaume
  • 10,463
  • 1
  • 33
  • 47
Manu
  • 1
  • It's a little inefficient make a query on every page. I think @Jon is better, because only needs to check on login. – ESL May 15 '14 at 02:03
0

The best way is to create your own session handlers, if you have full control over how the sessions are stored/retrieved and controlled it's not that difficult to force a log out and it offers you a whole broad range of useful features. If you've got time.

But, for a quicker solution: Store the session ID from PHP in the database with the user, and check this in your isLoggedIn function - or whatever you use. If it doesn't match, force the logout.

CharlesLeaf
  • 3,201
  • 19
  • 16
0

Another thing you could do besides Jon's answer (which is great, +1), is initially check where the user came from (referer) and destroy the session if the user comes from another webpage than your own.

$referer = $_SERVER['HTTP_REFERER'];
$referer = parse_url($referer);

if($referer['host'] != "yoursite.com" || $referer['host'] != "www.yoursite.com") {
     session_destroy();     
}

source