0

I have a web site where admin can ban users.

How to destroy users SESSION when he receives ban? So the plan is if the user is logged in and he received ban, the web site is killing the SESSION and user will logout automatically or after page refresh or something?

I check with SESSION['logged_in'] on every page are the user is logged in and the value is the users ID from database. So if the user with ID=1 receives ban i want to kill this SESSION with this VALUE.

I dont use cookies. Thanks for the answers :)

user2864740
  • 60,010
  • 15
  • 145
  • 220
codemaster96
  • 29
  • 5
  • `session_destroy` ? -- _I dont use cookies.._ You do when using session -- What if the user logs in again? – B001ᛦ Jul 21 '20 at 00:17
  • @B001ᛦ session_destroy won’t work in the case where the ban is, for example, applied via a moderator action. The normal login case is easy to handle as the database is utilized and a banned user can easily be refused authentication at that point. – user2864740 Jul 21 '20 at 00:19
  • (This question is essentially asking how to revoke a previous authorization, and has tied it strongly to using the SESSION for validation..) – user2864740 Jul 21 '20 at 00:22
  • Is this site using a specific PHP framework? The most consistent method might be to hook into the mechanism to restore the session on each request. Inside this code there would be an additional check to verify that the user has not been added to an exclude list, which might involve reading from a DB (eg). If this is done consistently then then the SESSION data exposed to the code can be guaranteed ‘updated’ on each request. – user2864740 Jul 21 '20 at 00:29
  • Wowser, some **terrible duplicates** - 1/3 is not a passing grade. I guess at least one person got it right, *shrug* – user2864740 Jul 21 '20 at 00:34

0 Answers0