Dowemo


Question:

When a user successfully authenticates on my site, i store their user id in session: $_SESSION['user_id']

I then use this throughout the site to check if the user can perform certain actions. e.g.

if(isset($_SESSION['user_id'])){


    //User is logged in, allow the following.


    ...


}



...



if ( $_SESSION['user_id'] == $comment_user ) {


    //User owns the comment, go ahead and delete it.


    ...


}


However, if i discover that a signed in user has malicious purposes, how can i kill their login session so that they cannot perform these secure actions?

To block the user, on the db I can invalidate their login details, or add them to a blocked list that is checked upon authentication so that they can no longer authenticate. However, this would only have effect when they next attempt to log in. As long as the current session remains active and their user id is stored in session, they are considered authenticated..

  • Is there a way to unset a specific session, forcing a logout? How?
  • If not, what is the best way to make sure blocked users cannot continue to access secure areas on the site? e.g. My only idea is rather than just checking if(isset($_SESSION['user_id'])), an additional check can be added to make sure the user_id hasn't been added to a "blocked users" list on the db. I just don't like that another db request is made to check if the user has been to a blocked list each time they perform some action. Especially because blocking a user would be a rare occurrence. Is there a way to check if the user has been blocked without going to the db?
  • Thanks!

    Edit

    Most answers so far address how to unset/destroy a session, or how to block a user from their next login attempt. I guess the only question remaining then is how to check whether a user has been blocked while they are currently logged in. Is there is a way to do this without going to the DB to check a "blocked users" list each time a user performs an action. This relates to my main issue, which in bold italics above. If the user is blocked then i can immediately destroy the session (forcing a logout) and they will also be prevented from authenticating again.


    Best Answer:


    Presuming you're using a DB, storing the session identifier in there and banning them from any future logins, then the easiest way of achieving this is to additionally delete their session file from your file-system.


    Finding session files

    PHP sessions are often stored in the /temp or /tmp or /var/lib/php5/ directory (It varies) - although the default session.save_path is set to "", you can set the location by using:

    session_save_path('/path/to/session/dir');
    
    
    

    Or even in your .htaccess file:

    php_value session.save_path /path/to/session/dir/
    
    
    


    How session files are stored

    Session files are prefixed with sess_ within a file system:

    -rw-------  1 www-data www-data    0 2013-04-19 05:39 sess_141d2215ce74452ea6b1f69eea228159
    
    
    

    Which, in the above example contains:

    AutoLogout|s:4:"3600";FirstName|s:4:"John";Lang|s:2:"en";LastLogin|s:19:"2013-04-19 17:26:18";LastName|s:8:"Smith";RegDate|s:19:"2012-11-12 17:18:13";TimeOut|i:1366421178;UserEmail|s:22:"johnsmith@domain.com";UserId|s:1:"3";authenticatedUser|s:22:"johnsmith@domain.com";year|s:4:"2013";
    
    
    

    As long as you have a record of their ID (assuming in your DB), you can delete them programatically.


    Deleting session files instantly using PHP

    PHP provides the ability to delete a file using unlink() and thus, when banning a user and preventing them from logging in (in the future), you can also ban them instantly by appending something like this to your banning function or creating an instant-kick function, using something like:

    $sessionID = 'sess_'.$sessionIdFromDB;
    
    
    $sessionDir = '/path/to/session/dir'; // Wherever your sessions are stored
    
    
    unlink($sessionDir."/".$sessionID); 
    
    
    

    However, this technique assumes you have the permissions to delete the session file in question. If you don't, then you would need to adjust the file permissions or change them using chown() and/or chmod() or on your file-system.


    Manual deletion

    You can also delete session files manually using a terminal. Whilst this might seem pointless, I've seen it used in the past to instantaneously kick all users out prior to doing something business specific:

    //SSH
    
    
    cd /path/to/session/dir
    
    
    rm -rf sess_*
    
    
    

    Which, once executed, invalidates all user sessions.




    Copyright © 2011 Dowemo All rights reserved.    Creative Commons   AboutUs