We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

Session Destroy

I have this case :

I have user logged in two browsers. When this user changes his password, I want that the user logouts in the two browser. How can I setup the function that it destroys all sessions of this user??? without setup session save in MySQL, I want to use memcache because it optimizes speed for my website.

Thanks everyone,



6.6k

Store the database object of the current user in $_SESSION. Validate the password from $_SESSION against the one from the database on every request and destroy the session if they're not matching.

When a password is changed, simply find every session for the current user, that doesn't have the same session ID as the password-changing session, and remove it.



3.1k

@quasipickle : Now i use files adpater , when i call "this->session->destroy({sesId})" , it dont destroy the session with "sesId" i give, it just destroy the current session @@



15.2k

@haithanh You could store a value in memcache with say your users internal id and a password reset boolean. If it returns on a request as true you know to remove the session for the affected browser irrespective of the users session.

It should also have the benifit of being rather quick. Its a tiny hit on performance, no where as bad as storing on mysql and looking up each request the db.



6.9k
Accepted
answer
edited Nov '14

While the proposed solution of validating the password on every load is possible and quick to implement I wouldn't do it. Since md5 and sha have been found to be insecure we're using proper hashing systems now, see Phalcon\Security, this becomes quite expensive in cpu cycles. That is deliberate, the more expensive it is to generate a password the longer it will take to be able to break them.

For logins and the occasional password change that's no problem, but if you start hashing passwords on every load, for every user.. maybe it's not so good an idea.

What you want to do is create a token when a user logs in. Add a table token to your database, the structure could be something like: id, user_id, token, created_on, used_on. Whenever a user logs in you create a new token and store the id of the token in the session. When the token stops being available, you redirect back to the login page. At this point I'm sure you've figured out how this works.. whenever a user changes their password you can remove the tokens associated with the user_id and voila, they'll be logged out everywhere.

There's an added bonus, you can use the token field, which has a random string (md5 or sha are fine here) and store it in a cookie. If they reach the login page and you detect a cookie named login_token or whatever you test the string against the database, make sure the token isn't too old to use (that's what used_on is for, you update that every login or even every page load, it'll still be cheaper than validating the password every load) and log them in.

Bonus points for using a redis or other key/value store for your token storage, it'll be even faster.



3.1k

i use memcached server instead of file cached, and i can delete the other session_id. thanks for your help