2

Many websites I've created have user data stored in sessions for quick access. The problem is that if an Administrator chooses to delete or disable a user's account, as long as they have their session cookies they're still technically "logged in."

While there are a few workaround solutions, such as making a database check on the user before they make any changes or adding a database check into the logged in verification function, these are less efficient than I would like.

So my question is, is there a way to close a session for a user from another user based on data stored in said session, like a user ID? If not, when would it be considered insecure to use session data internally, without database verification?

I should note that this question is asked under the assumption that I will be using the built-in $_SESSION variable, not some sort of custom database implementation, since a database session would be fairly easy to track down.

I'm trying to avoid using a database since keeping session data on the local server is far more efficient than adding the latency of connecting to an external database every time I want to access session data.

Ecksters
  • 1,482
  • 2
  • 15
  • 26
  • You can try to use server code to give you access to what you need and allow the server to link between the session and the userid. Once you have that info, the server code should help you do what you need. – James Oravec Feb 21 '13 at 15:44
  • 1
    Have you looked at getting all the sesssions: http://stackoverflow.com/questions/1248008/session-list-in-php And how to kill a particular session: http://stackoverflow.com/questions/6730123/how-to-destroy-a-specific-php-session – James Oravec Feb 21 '13 at 15:50
  • 1
    The first link appears to assume use of the built-in SESSION, while the second one assumes a custom database-based session design. Perhaps using a database design is ideal. Is there any advantage to using a database session over just verifying it through the DB every time? – Ecksters Feb 21 '13 at 15:53
  • I like the idea of using the database session, as it allows you to rely on existing software, whereas the other method looks like it'd be more home cooked. – James Oravec Feb 21 '13 at 19:10

4 Answers4

1

Have you tried session_destroy?

Session Destory

Kolby
  • 2,775
  • 3
  • 25
  • 44
  • "You seem to have misread the question. I am attempting to delete a session for which the user performing the deletion does not have the cookies for. In other words, allowing one user to delete another user's session." – Ecksters Feb 21 '13 at 15:46
1

Try using the following achieve what you are looking for:

Community
  • 1
  • 1
James Oravec
  • 19,579
  • 27
  • 94
  • 160
  • The first link is pretty much what I needed(how to search for a session ID based on data stored in the session), but the second link's answer is claiming it must be done using a custom database method. Another answer says something about using `session_id($sessionID);`, is this what you're referring to? Because I think that might work.. I'm just not certain how to go about obtaining the ID in question based on the first link. – Ecksters Feb 21 '13 at 16:16
0

You can use session_destroy at the end of the process, but furthermore:

In order to kill the session altogether, like to log the user out, the session id must also be unset [and] then the session cookie must be deleted.

As a side note: one 'good' thing about PHP documentation is you're absolutely, like, guaranteed a laugh.

Grant Thomas
  • 44,454
  • 10
  • 85
  • 129
  • You seem to have misread the question. I am attempting to delete a session for which the user performing the deletion does not have the cookies for. In other words, allowing one user to delete another user's session. – Ecksters Feb 21 '13 at 15:46
  • And this gives you such an answer. – Grant Thomas Feb 21 '13 at 15:48
  • If I'm the administrator and I delete the user "Bob", using session_destroy will delete MY session, not the session that the cookies on Bob's computer give access to. Unless I'm missing something, the documentation does not answer my question. – Ecksters Feb 21 '13 at 15:50
  • Does your session implementation use defaults? If so, a cookie is set per session, and you can't delete that cookie from another machine, ergo, your answer is "no" if you can read into the quote. – Grant Thomas Feb 21 '13 at 16:01
  • "I can't delete their cookies, of course, but I should be able to remove the session data on my server that their cookies link to." – Ecksters Feb 21 '13 at 16:01
  • Why _should_ you be able to? I don't know a single web framework that will give API access to individual sessions from another session in the session implementation. – Grant Thomas Feb 21 '13 at 16:03
  • To prevent users from being able to use their sessions after losing access to the website. Any database-implemented sessions could easily be searched through and have the offending session removed, it seems logical that it'd be possible with the standard implemention. Doing so may be inefficient compared to doing it in a database-based session, but since user deletion is so uncommon it may be worth it. This is a matter of efficiency, I've already listed a couple easy ways I could securely do it, but I'm hoping to use the highly-optimized built-in sessions. – Ecksters Feb 21 '13 at 16:09
0

You can't destroy session on someone else his computer... . If you really want to do it, you should check on every page if the account is still available.. Or some other workaround.. .

Naruto
  • 1,210
  • 3
  • 25
  • 28
  • I can't delete their cookies, of course, but I should be able to remove the session data on my server that their cookies link to. – Ecksters Feb 21 '13 at 15:58