I need to be able to delete a user's session (force him to login again). E.g. I want to delete and ban the user from my site, but even if I delete his data from the DB his session will be still active and thus he can continue to be active on the site until he logs out and tries to log in again.
How should I find and delete the session of a currently logged in user?
Sessions are stored on the filesystem and I'd like to keep it that way.
Thanks, Hamlet
It depends your session management system. Different ones manage sessions in different ways.
Personally (and generically), rather than trying to delete the user, I would consider adding a database column that would allow me to mark users as banned.
Then check that on page accesses and throw a Forbidden error if it is set.
This will, obviously, increase the load on the database so it might not be the best approach for you.
What about a variable inside your session which is checked at every page? You didn't specify any language but on some of them you could do something like:
Session["username"] = <userid>;
So, on all pages (or in your master page) you could have something like
if(Session["username"] == null)
redirect('Login');
Then when you decide that the user is no more in your circle of trust, you could have something like:
Session["username"] = null;
That will cause that the user is redirected to the logon page, and since you already change your DB he/she will not be able to log-in anymore. Notice that you didn't destroy the session itself, just the part that kept the user log-in.
I am not sure I understand your question. Are you looking to ban the user in the middle of a session after they are logged in? If so, you should not just be deleting from DB, you should also be deleting the session information from memory & force the user to log back in. As David pointed out, you may need to keep a list of banned users in the db if you would like to do this all the time. However, I am not sure why anyone would do that since it is much easier to not let the users login in the first place.
If you use cookies to keep track of a session ID, delete the cookie, as after that the user will appear to be a new, anonymous user (and have to log in again). This assumes there is some kind of process to clean up the session data on disk.
Do you have the ability to install other software on the server? Can you set up memcached?
If so, you could simply store a list of banned users (from a db table) in memcached. When the admin bans a user, it updates the db table and the cached list. From there, the web application only has to check the cache on each page request, which avoids hitting the db.
if you want to end a session immediately each page should check the session data on each request
to ban the user; store a user status that is checked at login