如何取消设置特定用户的会话? [英] How can I unset the session of a specific user?

问题描述

我有一个类似 $_SESSION['login'] 的会话，当它等于 1 时，表示该用户已登录到我的网站:

I have a session like this $_SESSION['login'] and when it is equal with 1, it means the use is logged into my website:

if ( $_SESSION['login'] == 1 ) {
    // You are logged
} else {
    // login/register
}

我还有另一个包含用户 ID 的会话.像这样:

Also I have another session which contains user's id. Something like this:

echo $_SESSION["Id"]; 
/* It is containing the user's id (an integer number).
   Something like: 234124
*/

现在我想为具有特定 ID 的用户取消设置 $_SESSION['login'].例如，我想 unset($_SESSION['login']) 为 $_SESSION["Id"] = 234124.我该怎么做?

Now I want to unset $_SESSION['login'] for the user who has a specific id. For example I want to unset($_SESSION['login']) for $_SESSION["Id"] = 234124. How can I do that?

我要做的所有事情:当用户更改他的密码时，我从 cookies 表中删除他的所有 cookie，以将他从他的所有其他人中注销设备.我也想删除他的会话.

All I'm trying to do: When an user changes his password, I remove all his cookies from cookies table to sign him out from all his other devices. Also I want to remove his session.

推荐答案

更新答案

您在评论中提供了有用的详细信息:

Updated Answer

You've provided helpful details in your comments:

当用户更改密码时，我需要从他的所有其他设备.

When an user changes his password, I need to logout his account from all other his devices.

您的问题本质上是如果您使用会话，如何跨设备实现单点登录/注销.

Your question is essentially how to implement single login/logout across devices if you're using sessions.

这是一个简单的方法:

1. 用户登录，您在会话中设置userID 和lastSeen.lastSeen 保存一个时间戳.在会话中不保存用户可以更改的信息.
2. 用户登录到另一台设备，您在该会话中设置 userID 和 lastSeen
3. 跨设备的会话始终保持同步(lastSeen 除外)，因为它们只保存不变的数据(用户 ID、用户名)
4. 在您的数据库中，有一个 logout 表，其中包含 userID requestTime
5. 如果用户注销、更改密码或执行任何其他需要重新登录的操作，请调用 session_destroy() 并在 logout 表中添加一个条目
6. 当用户尝试访问受限页面时，您检查:
   • $_SESSION['userID'] 是否存在(表示用户在某个时间登录)
   • 在过去 30 分钟内lastSeen(否则，调用 session_destroy() 并请求再次登录)
   • 在logout 和requestTime > 中是否有用户ID 的注销请求?lastSeen(表示自从我们上次看到用户以来，她请求从另一台设备注销).如果是这样，session_destroy() 并要求再次登录.

1. User logs in, you set userID and lastSeen in session. lastSeen holds a timestamp. Save no info in session that the user can change.
2. User logs into another device, you set userID and lastSeen in that session
3. Sessions across devices are always in sync (except for lastSeen) because they only hold non-changing data (userID, userName)
4. In your DB, have a logout table with columns userID requestTime
5. If a user logs out, changes her password or does anything else that should require a re-login, call session_destroy() and add an entry in logout table
6. When user tries to access restricted page, you check:
   • Does $_SESSION['userID'] exist (means user logged in at some point)
   • Is lastSeen within the last 30 minutes (otherwise, call session_destroy() and request another login)
   • Is there a logout request with the user's ID in logout and with requestTime > lastSeen (means since we last saw the user, she requested to be logged out from another device). If so, session_destroy() and require another login.

原答案

会话是单独处理的.当请求到达时，该用户的 $_SESSION 数据会加载到内存中.因此，如果用户 ID 5 发出请求，您将无权访问用户 7 的会话数据(没有一些黑客攻击).

Original Answer

Sessions are handled in isolation. When a request arrives, the $_SESSION data for just that user is loaded in memory. So if userID 5 makes a request, you do not have access to the session data for user 7 (without some hacks).

如果您想取消设置当前用户的会话，无论该用户是谁，您都可以执行以下操作之一:

If you want to unset the current user's session, whoever that user may be, you can do one of the following:

session_destroy(); //clears everything for the current user
unset($_SESSION['login']);// clears just this variable for the current user

如果在一个用户的浏览会话中，您想与另一个用户混为一谈:我没有看到用例.听起来它会对安全产生负面影响，这让我质疑你的更大架构.它违背了会话的全部目的:在服务器上为每个用户提供一个隔离的、持久的存储柜.

If from one user's browsing session, you want to mess with another user: I don't see the use case. Sounds like it would have negative security implications, and it makes me question your greater architecture. It defeats the whole purpose of sessions: to provide each user an isolated, persistent storage locker on the server.

无论如何，要从另一个用户的浏览活动中更改随机用户的会话数据(再说一遍，为什么?)，请改用数据库来保存和检索值.一个表格可以很简单:

Anyway, to change a random user's session data from another user's browsing activity (again, why?), use a database to save and retrieve values instead. A table could be as simple as:

userID | sessionData | sessionExpires

您可以使用 json_encode 将会话数据存储在 JSON 中，并使用 json_decode 从任何浏览会话中为任何特定用户检索它.

You could store session data in JSON with json_encode and retrieve it with json_decode for any specific user, from any browsing session.

这篇关于如何取消设置特定用户的会话?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！