tags:

views:

259

answers:

6

I need to be able to delete a user's session (force him to login again). E.g. I want to delete and ban the user from my site, but even if I delete his data from the DB his session will be still active and thus he can continue to be active on the site until he logs out and tries to log in again.

How should I find and delete the session of a currently logged in user?

Sessions are stored on the filesystem and I'd like to keep it that way.

Thanks, Hamlet

A: 

It depends your session management system. Different ones manage sessions in different ways.

Personally (and generically), rather than trying to delete the user, I would consider adding a database column that would allow me to mark users as banned.

Then check that on page accesses and throw a Forbidden error if it is set.

This will, obviously, increase the load on the database so it might not be the best approach for you.

David Dorward
I want to avoid hitting the database continuously for something that happens once every 2 months. By the way this is on LAMP.
The P in LAMP can stand for many different things — one of them is Perl, and Perl alone has multiple session management modules.
David Dorward
+1  A: 

What about a variable inside your session which is checked at every page? You didn't specify any language but on some of them you could do something like:


Session["username"] = <userid>;

So, on all pages (or in your master page) you could have something like


if(Session["username"] == null)
   redirect('Login');

Then when you decide that the user is no more in your circle of trust, you could have something like:


Session["username"] = null;

That will cause that the user is redirected to the logon page, and since you already change your DB he/she will not be able to log-in anymore. Notice that you didn't destroy the session itself, just the part that kept the user log-in.

Freddy
A: 

I am not sure I understand your question. Are you looking to ban the user in the middle of a session after they are logged in? If so, you should not just be deleting from DB, you should also be deleting the session information from memory & force the user to log back in. As David pointed out, you may need to keep a list of banned users in the db if you would like to do this all the time. However, I am not sure why anyone would do that since it is much easier to not let the users login in the first place.

msvcyc
Imagine a user continuously misusing the system (e.g. posting mature content) so I want to ban him. He is online, so I must set him as banned and log him out somehow. Deleting the session seems to be the most efficient way of forcing him to log out.
How do I delete the users session information using php, session is stored on filesystem
Understood the reason. Thanks. As I mentioned, you should be deleting the session info from memory, mark the user as banned in the db and then force the user to the login page. However, he might re-register again -)
msvcyc
Sorry I am not sure how to do this in PHP
msvcyc
A: 

If you use cookies to keep track of a session ID, delete the cookie, as after that the user will appear to be a new, anonymous user (and have to log in again). This assumes there is some kind of process to clean up the session data on disk.

JonoW
A: 

Do you have the ability to install other software on the server? Can you set up memcached?

If so, you could simply store a list of banned users (from a db table) in memcached. When the admin bans a user, it updates the db table and the cached list. From there, the web application only has to check the cache on each page request, which avoids hitting the db.

Chris
This is the closest so far as I am focusing on performance
Can't we search for that session and physically delete the session file from the server?
Not sure how PHP sessions work, but it doesn't seem like it would be possible to me. It would be a rather large security hole to allow one user to destroy the session for another user, even if the intent was purely beneficial.
Chris
I just found this article (http://www.herongyang.com/PHP/Session-Where-Is-Session-Data-Stored.html). According to that, you can force php to store session data in a specific location, but you'd still have the task of identifying which session files belonged to the user you were attempting to ban.
Chris
A: 

if you want to end a session immediately each page should check the session data on each request

to ban the user; store a user status that is checked at login

Jim