如果用户被禁止，则终止活动会话 [英] Kill Active Session if User Is Banned

问题描述

我已经建立了一个登录系统，用于检查验证用户名，哈希密码和禁止列的mysql db(0表示不禁止，并且是默认值，1表示禁止).如果有禁令，他们显然无法登录.

I have set up a login system that checks a mysql db validating username,hashed password, and a banned column (0 means not banned and is the default value, 1 means banned). if there banned they obviously cannot loggin.

问题是我是php的新手，想弄清楚如何注销当前登录的用户真是太费时间了.从现在开始，我的cookie会持续2周，即使我禁止用户，他们的会话将保持活动状态，因此他们将有2周或更短的访问时间.

The problem is i'm new to php and having a hell of a time trying to figure out how to log out a user who is currently logged in. As it stands now my cookie will last for 2weeks, and even if i ban a user, their session will stay active thus they will have acess for 2weeks or less.

我如何在不惩罚群众的情况下强迫用户重新进行身份验证.

How can i force a user to reauthenticate, without penalizing the masses.

推荐答案

您的服务器知道与每个用户关联的cookie.为什么不直接从其当前会话"表中删除该Cookie?

Your server knows what cookie is associated with each user. Why not just delete that cookie from its "current sessions" table?

如果cookie只是已登录的用户名"，那么您就遇到了真正的问题，因为cookie包含真实信息，而不是魔术数字，因此很难伪造.然后，恶意用户可以简单地创建一个Cookie，说我是[管理员]，并且我已经登录"，这显然是一个更大的问题.因此，如果您不能仅仅从已知cookie"表中删除会话cookie来解决此问题，那么您还有更大的问题要担心.

If the cookie is just "username, who is logged in", you have a real problem, because instead of a magic number, the cookie contains real information, and it becomes trivial to forge. Then a malicious user could simply create a cookie saying "I am [admin], and I am logged in", and that's obviously a much larger problem. So if you can't just delete the session cookie from the "known cookies" table to solve this problem, you have a bigger problem to worry about.

这篇关于如果用户被禁止，则终止活动会话的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！