Remotely destroy session

Question

ngonix 0 Light Poster

10 Years Ago

Hello, I have an application which shows users which are currently logged into the system. The web application is running on a server and everytime a client on another computer logs in, he/she appears on the active users list. Below is some of the code:

loggedusers.php

...... 

<table cellpadding="3">
            <tr bgcolor="#CCCCCC">
                <td><b>User</b></td>
                <td><b>Date In</b></td>
                <td><b>Time In</b></td>

            </tr>
            <?php
                while( $row = mysql_fetch_array( $result ) ) {
                    if($row['userID'] == $_SESSION['loggedUserID']){
                    ?>
                        <tr bgcolor="#CCCCFF">
                            <td><?php echo $row['user']; ?></td>
                            <td><?php echo $row['dateIn']; ?></td>
                            <td><?php echo $row['timeIn']; ?></td>

                        </tr>
                    <?php
                    }
                    else {
             ?>

                <tr bgcolor="#CCCCFF">
                            <td><?php echo $row['user']; ?></td>
                            <td><?php echo $row['dateIn']; ?></td>
                            <td><?php echo $row['timeIn']; ?></td>
                            <td><a href="logoutuser.php?userid=<?php echo $row['userID'] ?>">Remove User</a></td>

                        </tr>

            <?php } 

            }?>

.......

logoutuser.php

<?php
    session_start();

    require_once 'includes/config.php'; 
    include "includes/functions.php";


    if ( $_REQUEST_METHOD = 'GET' ) {
if ( (isset( $_GET['userid'] ) && !empty( $_GET['userid'] ) )) {

        $userID = escape_value( $_GET['userid'] );

        $sql = "DELETE FROM tblloggedusers WHERE userID = $userID";
        $result = mysql_query( $sql ) or die( mysql_error() );

        // Missing logic for destroying/unsetting client's session

        header( 'Location: loggedusers.php' );
        exit;
    }
    }

?>

Now the problem I'm having is that when I click the "remove user" link of the loggedusers.php page from the admin server computer, it only removes user from the list but it does not destroy the client's session. I have tried using session_id() function but having trouble getting actual id of session. My table contains user ids of all logged in clients.

How do I forcebly destroy a session on a remote client computer and log them out? Any help would be greatly appreciated.

php session

6 Contributors
8 Replies
3K Views
1 Day Discussion Span
Latest Post 10 Years Ago Latest Post by iamthwee

Alberto Bucur 0 Junior Poster

10 Years Ago

Hi,
That work if you verify if userID exist in tblloggedusers at every operation made by the user; menu navigation, data update, etc.

cereal 1,524 Nearly a Senior Poster

10 Years Ago

An alternative to avoid the extra query, is to inject the user session with a variable that will log out the user as soon he performs an action.

So, when you go to logoutuser.php, submit the session id of the user instead of the user id, for example:

/logoutuser.php?sid=2ehks4jp50u6s5isv4713l6uk1

And, from there, call a command line script:

<?php

    $sid = $_GET['sid'];
    exec("php destroy.php {$sid}");

    . . .

The destroy.php script will look like:

<?php

    $sid = $argv[1];

    # load user session
    session_id($sid);
    session_start();

    # inject the new value
    $_SESSION['deleteme'] = TRUE;

Now, in the pages accessed by the users, set a filter like this:

<?php

    session_start();

    if(array_key_exists('deleteme', $_SESSION))
    {
        # bye bye
        header('Location: logout.php');
    }

In theory you could destroy the session from the command line script, but it cannot delete the session cookie, that resides in the user's browser. Bye!

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

ngonix 0 Light Poster · Answer 1 · 2014-03-03T09:58:17+00:00

Ok that could work. Is there another way? Just wondering.

diafol · Answer 2 · 2014-03-03T19:29:28+00:00

Just wondering if active sessions are saved in db - would deleting the record work for you?

iamthwee · Answer 3 · 2014-03-03T23:35:36+00:00

How do I forcebly destroy a session on a remote client computer and log them out? Any help would be greatly appreciated.

Out of curiousity why would you need to do this?

veedeoo 474 Junior Poster Featured Poster · Answer 4 · 2014-03-04T05:49:40+00:00

You cannot forcebly destroy session on a remote client using script. The only way you can do this is by connecting by way of FTP or when you change the session.save_path directive to something else.

Sessions are stored above your public directory. In some servers, it is called 'tmp' directory.

You can easily find the exact location by running a simple phpinfo() and look for the session directive called session.save_path

If you want to change the directory for the save_path, please read more here.

Warning! changing the location for the save_path create serious vulnerabilities. This is the reason why we don't want to put the item price in session variables.

ngonix 0 Light Poster · Answer 5 · 2014-03-04T06:25:09+00:00

Guys I have gone thru all your methods, but the first option albucurus gave me seems to be working fine. Thanks for all your input! :)

iamthwee · Answer 6 · 2014-03-04T21:57:00+00:00

Once again, I'd like to highlight a point made previously... Why would you want to do this? Veedeoo highlights the impractical nature of this.

If you wish to cancel said user's access to a page why not simply create another variable which is set and stored in the database.

So...

if user_session equals logged in and db field allowed to use equals ok then show the page otherwise do not?

Sounds good right?