0

I am helping develop a web application for one of the departments in the company I work for.
I was asked to look into a way to log off every user that might be on the application at once, so that if updates to the Web App are pushed out, people aren't working with an old version of it.

My problem is that as I am not very savvy with PHP, JQuery, AJAX, etc. which is what we're using, I have not known exactly what to look for.

We have a timer script running every couple seconds in the background, so I was thinking that I could add an admin button that updated a field in the database which this script could check every so often, and if the field was set, the logoff script could be executed. But this seems like a hack to work around the issue.

The guy I'm working with suggested I look into custom SESSION handlers.

What do you guys think? Any ideas?

Any help would be appreciated. Even if it's an idea on what to start searching for.

Thanks in advance!

EDIT: I should mention that this is a one-page web app. The user is not following any links or leaving the page.

npiani
  • 515
  • 1
  • 9
  • 26
  • are your sessions stored in a database? If so - just delete all the sessions - it will log everyone out – Laurence Oct 08 '12 at 20:29
  • 3
    If not, you could build a custom session handler that stored them in a database. – JCOC611 Oct 08 '12 at 20:30
  • You don't need to log everyone out if you make every request show a maintenance page. – deizel. Oct 08 '12 at 20:32
  • @TheShiftExchange I do not believe so. I believe it's just server side. Once the user closes the window or exits the site, their SESSION is destroyed. – npiani Oct 08 '12 at 20:32
  • Have a look at [this question](http://stackoverflow.com/questions/1226040/is-this-a-proper-way-to-destroy-all-sessions-in-php)! – Joost Oct 08 '12 at 20:35

3 Answers3

1

Make an entry for logged in users in your database of choice, maybe memcached if performance is a criteria.

nyson
  • 1,055
  • 6
  • 20
  • We have a user log that keeps track of users who have logged in. I guess we could check for users who do not have a logoff time. But I still don't see how we'd log them off with this. – npiani Oct 08 '12 at 20:34
  • If your authorisation checks uses a function you could just incorporate a check for an extra row in the DB for it, and when you want to logout all users, just use `UPDATE users SET logged_in = 0` – nyson Oct 08 '12 at 20:38
  • Closest thing to what I did. You can check what I did specifically in my own answer. Thank you! – npiani Oct 12 '12 at 17:27
0

Use a custom Session save handler which stores the sessions in database or file. When you want to destroy all sessions, you can clear the storage (be it database, or file).

Start from - http://php.net/manual/en/function.session-set-save-handler.php

janenz00
  • 3,315
  • 5
  • 28
  • 37
  • Would this still work if the application is a one-page application? The users never have to go to a different page. It's pretty much all AJAX. We can't really have a check to see if the SESSIONs have been cleared at the beginning of the page, since the user never actually changes pages. – npiani Oct 09 '12 at 17:13
  • How does the user normally login and logout? Ajax based authentication? – janenz00 Oct 09 '12 at 17:28
  • Yes, I believe so. We're using JQuery UI to take user input, and then pass it through to a PHP page to log the user in. If the user ever refreshes the page or logs out, their session is destroyed and they need to log in once again. – npiani Oct 09 '12 at 17:47
0

What I ended up doing was the following:

I added a field into one of out database tables and checked its value every time our browser tick came through (about every minute or so). If the field is set when the tick comes through, their page is refreshed, thus logging them off the application and destroying their session (We destroy the session when someone leaves the page).
The users cannot log back in until that field has been reverted to '0'

The admin account can change that field with the click of a button. Therefore their field in the database remains as a '0'

It might be kind of a hack, but it's what I could come up with even after everyone's help. The only issue is that it takes a bit to log everyone off. Problems of pulling vs pushing I guess.

And yes, an email will be sent out some time before logging everyone off so they don't lose work.

Thank you all for your help!

npiani
  • 515
  • 1
  • 9
  • 26