问题
I have a session like this $_SESSION['login'] and when it is equal with 1, it means the use is logged into my website:
if ( $_SESSION['login'] == 1 ) {
// You are logged
} else {
// login/register
}
Also I have another session which contains user's id. Something like this:
echo $_SESSION["Id"];
/* It is containing the user's id (an integer number).
Something like: 234124
*/
Now I want to unset $_SESSION['login'] for the user who has a specific id. For example I want to unset($_SESSION['login']) for $_SESSION["Id"] = 234124. How can I do that?
Edit: All I'm trying to do: When an user changes his password, I remove all his cookies from cookies table to sign him out from all his other devices. Also I want to remove his session.
回答1:
Updated Answer
You've provided helpful details in your comments:
When an user changes his password, I need to logout his account from all other his devices.
Your question is essentially how to implement single login/logout across devices if you're using sessions.
Here is a simple approach:
- User logs in, you set
userIDandlastSeenin session.lastSeenholds a timestamp. Save no info in session that the user can change. - User logs into another device, you set
userIDandlastSeenin that session - Sessions across devices are always in sync (except for
lastSeen) because they only hold non-changing data (userID, userName) - In your DB, have a
logouttable with columnsuserIDrequestTime - If a user logs out, changes her password or does anything else that should require a re-login, call
session_destroy()and add an entry inlogouttable - When user tries to access restricted page, you check:
- Does
$_SESSION['userID']exist (means user logged in at some point) - Is
lastSeenwithin the last 30 minutes (otherwise, callsession_destroy()and request another login) - Is there a logout request with the user's ID in
logoutand withrequestTime > lastSeen(means since we last saw the user, she requested to be logged out from another device). If so,session_destroy()and require another login.
- Does
Original Answer
Sessions are handled in isolation. When a request arrives, the $_SESSION data for just that user is loaded in memory. So if userID 5 makes a request, you do not have access to the session data for user 7 (without some hacks).
If you want to unset the current user's session, whoever that user may be, you can do one of the following:
session_destroy(); //clears everything for the current user
unset($_SESSION['login']);// clears just this variable for the current user
If from one user's browsing session, you want to mess with another user: I don't see the use case. Sounds like it would have negative security implications, and it makes me question your greater architecture. It defeats the whole purpose of sessions: to provide each user an isolated, persistent storage locker on the server.
Anyway, to change a random user's session data from another user's browsing activity (again, why?), use a database to save and retrieve values instead. A table could be as simple as:
userID | sessionData | sessionExpires
You could store session data in JSON with json_encode and retrieve it with json_decode for any specific user, from any browsing session.
回答2:
it will remove all session variables and destroy the all session you created.
<?php
//start session
session_start();
// remove all session variables
session_unset();
// destroy the session
session_destroy();
?>
回答3:
if ( $_SESSION['login'] == 1 ) {
if ( $_SESSION["Id"] == 234124 ) {
session_destroy();
session_unset();
}
} else {
// login/register
}
回答4:
use session_destroy();
It destroys all of the data associated with the current session. So only intended user's(who clicked logout or in your case who changed password) session data will be removed.
Check this to know more.
来源:https://stackoverflow.com/questions/38603431/how-can-i-unset-the-session-of-a-specific-user