Remotely destroy a session in php (user logs in somewhere else)?_问答_开发者

Remotely destroy a session in php (user logs in somewhere else)?

开发者 https://www.devze.com 2023-02-20 04:07 出处：网络

Hey, I\'m trying to get my php website to basically \"log out\" (session_destroy()) when the same user logs in somewh开发者_开发技巧ere else.Is there a way to do this?To remotely destroy a specific se

Hey, I'm trying to get my php website to basically "log out" (session_destroy()) when the same user logs in somewh开发者_开发技巧ere else. Is there a way to do this? To remotely destroy a specific session?

Thank guys!

Scott

It's certainly possible, using session_id. When the user logs in somewhere else, you can do this step before starting a new session for the new login:

// The hard part: find out what $old_session_id is

session_id($old_session_id);
session_start();
session_destroy();

// Now proceed to create a new session for the new login

This will destroy the old session on the server side, so when the other computer accesses your application again it will try to access a non-existent session and a new one will be created for it (in which the user is not logged in anymore).

The hard part is finding out what is the ID of the "old" session. There's no one-size-fits-all way of doing that; you need to have some mechanism in place to be able to tell that the session with id XXX belongs to the same user who is logging in now. If you are using database sessions this should be easy enough.

It's not necessary to create your own session handlers.

Simply store the session ID with the username in the database upon login.

Every time the user fetches a page, compare that user's session ID with the stored session ID.

If the session IDs don't match, it means the user has logged in somewhere else, and you should self-destruct.

I can imagine you could do this by using your own session handling. If you store you sessions in database, you could delete them from other app, if you needed to. You would identify the user by user name or something like that.

The best way is to create your own session handlers, if you have full control over how the sessions are stored/retrieved and controlled it's not that difficult to force a log out and it offers you a whole broad range of useful features. If you've got time.

But, for a quicker solution: Store the session ID from PHP in the database with the user, and check this in your isLoggedIn function - or whatever you use. If it doesn't match, force the logout.

Another thing you could do besides Jon's answer (which is great, +1), is initially check where the user came from (referer) and destroy the session if the user comes from another webpage than your own.

$referer = $_SERVER['HTTP_REFERER'];
$referer = parse_url($referer);

if($referer['host'] != "yoursite.com" || $referer['host'] != "www.yoursite.com") {
     session_destroy();     
}

source

I would like to suggest that what we can do is, get the time and add some addtional value (like manu1234567) and store in database when user log's in . add that in session also. now on each page compare both , and if that is equal then proceed , else forward to another page or give some msg .

now other part when ever another user will login with same username and password, database will update and for first person there will be error msg "some one logged in from some where else."

Note : time will always different . so there will be very very less chances that two values will be same.