如何取消设置特定用户的会话? [英] How can I unset the session of a specific user?
问题描述
我有一个类似 $_SESSION['login']
的会话,当它等于 1
时,表示该用户已登录到我的网站:>
I have a session like this $_SESSION['login']
and when it is equal with 1
, it means the use is logged into my website:
if ( $_SESSION['login'] == 1 ) {
// You are logged
} else {
// login/register
}
我还有另一个包含用户 ID 的会话.像这样:
Also I have another session which contains user's id. Something like this:
echo $_SESSION["Id"];
/* It is containing the user's id (an integer number).
Something like: 234124
*/
现在我想为具有特定 ID 的用户取消设置 $_SESSION['login']
.例如,我想 unset($_SESSION['login'])
为 $_SESSION["Id"] = 234124
.我该怎么做?
Now I want to unset $_SESSION['login']
for the user who has a specific id. For example I want to unset($_SESSION['login'])
for $_SESSION["Id"] = 234124
. How can I do that?
我要做的所有事情:当用户更改他的密码时,我从 cookies
表中删除他的所有 cookie,以将他从他的所有其他人中注销设备.我也想删除他的会话.
All I'm trying to do: When an user changes his password, I remove all his cookies from cookies
table to sign him out from all his other devices. Also I want to remove his session.
推荐答案
更新答案
您在评论中提供了有用的详细信息:
Updated Answer
You've provided helpful details in your comments:
当用户更改密码时,我需要从他的所有其他设备.
When an user changes his password, I need to logout his account from all other his devices.
您的问题本质上是如果您使用会话,如何跨设备实现单点登录/注销.
Your question is essentially how to implement single login/logout across devices if you're using sessions.
这是一个简单的方法:
- 用户登录,您在会话中设置
userID
和lastSeen
.lastSeen
保存一个时间戳.在会话中不保存用户可以更改的信息. - 用户登录到另一台设备,您在该会话中设置
userID
和lastSeen
- 跨设备的会话始终保持同步(
lastSeen
除外),因为它们只保存不变的数据(用户 ID、用户名) - 在您的数据库中,有一个
logout
表,其中包含userID
requestTime
- 如果用户注销、更改密码或执行任何其他需要重新登录的操作,请调用
session_destroy()
并在logout
表中添加一个条目 - 当用户尝试访问受限页面时,您检查:
$_SESSION['userID']
是否存在(表示用户在某个时间登录)- 在过去 30 分钟内
lastSeen
(否则,调用session_destroy()
并请求再次登录) - 在
logout
和requestTime > 中是否有用户ID 的注销请求?lastSeen
(表示自从我们上次看到用户以来,她请求从另一台设备注销).如果是这样,session_destroy()
并要求再次登录.
- User logs in, you set
userID
andlastSeen
in session.lastSeen
holds a timestamp. Save no info in session that the user can change. - User logs into another device, you set
userID
andlastSeen
in that session - Sessions across devices are always in sync (except for
lastSeen
) because they only hold non-changing data (userID, userName) - In your DB, have a
logout
table with columnsuserID
requestTime
- If a user logs out, changes her password or does anything else that should require a re-login, call
session_destroy()
and add an entry inlogout
table - When user tries to access restricted page, you check:
- Does
$_SESSION['userID']
exist (means user logged in at some point) - Is
lastSeen
within the last 30 minutes (otherwise, callsession_destroy()
and request another login) - Is there a logout request with the user's ID in
logout
and withrequestTime > lastSeen
(means since we last saw the user, she requested to be logged out from another device). If so,session_destroy()
and require another login.
- Does
原答案
会话是单独处理的.当请求到达时,该用户的 $_SESSION
数据会加载到内存中.因此,如果用户 ID 5 发出请求,您将无权访问用户 7 的会话数据(没有一些黑客攻击).
Original Answer
Sessions are handled in isolation. When a request arrives, the $_SESSION
data for just that user is loaded in memory. So if userID 5 makes a request, you do not have access to the session data for user 7 (without some hacks).
如果您想取消设置当前用户的会话,无论该用户是谁,您都可以执行以下操作之一:
If you want to unset the current user's session, whoever that user may be, you can do one of the following:
session_destroy(); //clears everything for the current user
unset($_SESSION['login']);// clears just this variable for the current user
如果在一个用户的浏览会话中,您想与另一个用户混为一谈:我没有看到用例.听起来它会对安全产生负面影响,这让我质疑你的更大架构.它违背了会话的全部目的:在服务器上为每个用户提供一个隔离的、持久的存储柜.
If from one user's browsing session, you want to mess with another user: I don't see the use case. Sounds like it would have negative security implications, and it makes me question your greater architecture. It defeats the whole purpose of sessions: to provide each user an isolated, persistent storage locker on the server.
无论如何,要从另一个用户的浏览活动中更改随机用户的会话数据(再说一遍,为什么?),请改用数据库来保存和检索值.一个表格可以很简单:
Anyway, to change a random user's session data from another user's browsing activity (again, why?), use a database to save and retrieve values instead. A table could be as simple as:
userID | sessionData | sessionExpires
您可以使用 json_encode
将会话数据存储在 JSON 中,并使用 json_decode
从任何浏览会话中为任何特定用户检索它.
You could store session data in JSON with json_encode
and retrieve it with json_decode
for any specific user, from any browsing session.
这篇关于如何取消设置特定用户的会话?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!