Jump to content

How do you delete sessions by ID?

kmaid

By kmaid
in PHP Coding Help

 Share

Recommended Posts

kmaid Member

kmaid

Posted
Posted

Hi all,

 

I am making a user system where I can suspend users. I suspend a user by preventing their login however it does not terminate their current session. Rather than checking the user is still allowed to be login each time a page is loaded I was wondering if I could store the Session ID and then just delete/unregistered it server side.

 

Thanks

Kmaid

 

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

A session is just a container and a visitor can start a new one by just closing his browser and revisiting your site and logging in again. There is no point in trying to delete session data files, unset session variables, or delete session cookies to control what access a visitor has.

 

The best way is to check the database. This also results in the simplest code. Please read my posts in these two threads -

 

http://www.phpfreaks.com/forums/index.php/topic,222819.0.html

 

http://www.phpfreaks.com/forums/index.php/topic,221684.0.html

Link to comment
Share on other sites
kmaid Member

kmaid

Posted
  • Author
Posted

A session is just a container and a visitor can start a new one by just closing his browser and revisiting your site and logging in again. There is no point in trying to delete session data files, unset session variables, or delete session cookies to control what access a visitor has.

 

The best way is to check the database. This also results in the simplest code. Please read my posts in these two threads -

 

http://www.phpfreaks.com/forums/index.php/topic,222819.0.html

 

http://www.phpfreaks.com/forums/index.php/topic,221684.0.html

Hmmmm, I was under the impression that the user gets the ID to their session in a cookie and the data of the session is stored server side. What i want to do is unset the data serverside so the session becomes invalid and they have to login however their account being suspended they will not be able to.

Link to comment
Share on other sites
runnerjp Advanced Member

runnerjp

Posted
Posted

can't be done tom.. the session id is chanaged everytime re-loggedin.. the only way your going to be able to do this is adding a field in your db banned with numeric 0 and 1... this way on login you could check to see if in the field has 1 or 0... then you can set 1 as been banned or 0 as not :)

Link to comment
Share on other sites
kmaid Member

kmaid

Posted
  • Author
Posted

I understand that however i was looking to avoid querying the database for user infomation every time they load a new page for somthing that wont happen that often. I guess i will have to query the DB everytime or set a session variable and check every 10 mins or somthing.

 

Thanks for the help guys. I am not going to mark the post as solved as i am still hopefull for some reason ^^.

Link to comment
Share on other sites
bobbinsbro Member

bobbinsbro

Posted
Posted

hold on, but when you ban a user, you update the database right? so what you want to do is kick the user out of your site by session only one, because if they try to get back in (by reloading the web site for example), access would be prevented by user login. since you're using sessions, i assume you have a valid session check at the top of each page. so why not use session_destroy()  just like runnerjp suggested? that would deny access to one all pages with current sessionID, and the login would deny future access.

Link to comment
Share on other sites
kmaid Member

kmaid

Posted
  • Author
Posted

Because i dont query the database. I use the following code to just check that they had a session made and that they have the correct userlevel to use the page. From what i have read it is safe to do this because the user cant touch these variables unless i am greatly mistaken.

 



	function libSecurity($RequiredUserLevel)    

	{

		session_start();

		if(isset($_SESSION["UserName"]))

		{

			if ($_SESSION["Level"]>=$RequiredUserLevel)

			{

				return true;

			}

		}

		if (isset($_SERVER['HTTP_X_REWRITE_URL']))

		{

			$_SERVER['REQUEST_URI'] = $_SERVER['HTTP_X_REWRITE_URL'];

		}

		$_SESSION['RequestedURL']=$_SERVER['REQUEST_URI'];

		header("Location: Login.php");

		exit(0);

		return false;

	}

[/Code]

Link to comment
Share on other sites
Andy-H Advanced Member

Andy-H

Posted
Posted

Lol, there are many ways to intercept and edit session data, google burp suite and you will find an example of software to do so. Then all you need is someone elses valid session ID (obtained by XSS usually) and you can login to someones account, or in the case of your site, change your userlevel...

Link to comment
Share on other sites
kmaid Member

kmaid

Posted
  • Author
Posted

I know about session Hijacking but how can you edit session variables? Surely being able to do this makes the entire thing pointless as i would have to put their username and password into the session that can then be edited. I hope you do not mind Andy-H, I have attempted to add you onto msn in the hope i could talk to you about this further to gain a better understanding.

 

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.