In Codeigniter, how do I remove specific user's session?
I have set login session like below. And I want to remove specific MemId's LoggedIn(in other words, session for just one user) assuming there are about 1000 users.
$this->session->set_userdata([
'LoggedIn'=>true,'MemId'=>PrimaryKey
]);
When user logged in you are setting two session variables.One is LoggedIn and another 'MemId' which is the primary key of member.So,first retrieve the logged in user member id from database then unset it.Might work properly.
MemId is the member id of user for which you want to remove session.
$this->session->unset_userdata('MemId');
Related
I am using a session_variable as the user_id to get information about the user by querying with the help of the variable. Whenever my user logs in with correct credentials, I create a session variable using:
\Session::put('user_id', $user_id);
And now I have a condition when the user logs out from the website,so how do I remove the session variable from the session using laravel. I tried something like : session()->forget('some_data'); which didn't seem to work for me so what should I do to remove all the session variable I have in the webpage?
You can try with this
Session::flush(); // removes all session data
Session::forget('user_id') // Removes a specific variable
I been using my session id to identify all the items that are added to a shopping cart temporary items table.
What I didn't know is that once the user login into the system the session id changes so I can't query the temporary items table anymore as there is no products containing the new session id value.
I am using file session driver and I was thinking to use db sessions but I think it will be exactly the same.
Any ideas on how to keep the session id after login?
Instead of using user's session_id you can store the cart items in a separate session key.
Like so -
Session::put('cart.items.0', $item_id);
Now you can access it as -
$cart = Session::get('cart');
Not exactly what you asked for, but to me this seems like a better way.
What is the best way to securely login in a user and keep the user signed in with cookies and sessions?
For example:
Check if password and email are valid for a specific user
Set a cookie with arbitrary string
Create a session with the same arbitrary string
Validate each request by the user by making sure the arbitrary strings of the cookie and session are the same
What is the best way to securly login in a user and keep the user signed in with cookies and sessions?
Using an established library.
It depends on how you define "create a session". For our purposes here let's define this as "create a server-side data store with an id and set a cookie with that id"; i.e. what the default session_start() does. Then:
Ensure the connection is HTTPS.
Check login credentials.
If valid, create a session (see above) with a large, (pseudo-)random id and an expiration time as short as possible but as long as necessary. Security here comes from the fact that it's infeasible to guess suitably random session ids, so the longer they are and the shorter their window of validity is the better.
Store the id of the logged in user in the session.
On each page request, see if the session with the id from the cookie exists; if so, use the user id stored in it to get your logged in user.
Optionally storing and checking the user agent is not a bad idea; you should not check the IP address though, as that may change legitimately.
Apart from storing it in sessions , you can also follow this method for keeping an user logged in , even after he closes the browser ->
1) Create a cookie storing user details and an unique hash
2) Create a sessions table (in a mysql db or any other db of your choice) where the unique hash is stored against the user-id, and the user agent of the browser,and the ip address .
3) Next time when the user logs in check that when the user logs in , is it from the same ip,same user agent .. If not , then delete the database entry , and repeat steps 1 and 2.
Apart from keeping an user logged in , it also gives you better security than just storing in sessions.
I have found that Code Igniter has already ci_sessions table which stores users session ids in it. I understand the main purpose of that table. Just I want to clarify how I can validate with ci_session table data with my current user login session id?
Basically , I am trying to do User login one place at a time. Multiple login's to be prevented. How can I do this?
You couldn't do that with session ID's since logging in from another location would create a new session ID at that new location.
Store the userID to the session then check it on login.
$this->db->where('userId',$userId);
$result = $this->db->get('ci_session');
if($result->num_rows() > 0)
{
//log out old user, throw error, whatever
} else {
//continue with login
}
By storing the user id in the session data and adding it as a column to the sessions table, you can remove all sessions of that user id on login before the session data is created. This will invalidate any session of the same user. For further explanation on how to do this, see here: https://stackoverflow.com/a/9564433/89211
I basically want to setup in my LogOn Action a conditional statement that looks at the username, and determines that username is already logged in.
At which point the user should be informed.
That account is logged in, if you think you've been hijacked...yada yada yada.
I thought I could add something after this conditional, is there something like my made up method Membership.CheckIfUserIsOnline(string username) out there already?
if (ModelState.IsValid)
{
if (Membership.ValidateUser(model.UserName, model.Password))
{
//See the line below, I made this method up.
if (Membership.CheckIfUserIsOnline(model.UserName){
ModelState.AddModelError("", "Someone else is logged into this account.");
}
If you're using Session State, I would store (ideally in an application-wide cache or alternatively in your application database) a record keyed on the User ID, storing the Session ID.
Then, check the logged-in User ID against the current Session ID when you're looking to detect multiple logons. If the Session ID stored in the database doesn't match the Session ID of the current Session, that may indicate multiple logons.
You have to deal with expiring the values from the data store (which is why an application-wide cache may be better than the application database) and with normal termination of a session (on logoff), but if you're only using it to alert the user, it's probably good enough.