Jump to content

Finding and deleting session


Recommended Posts

When a user logs on my site a session variable is created to keep the user id and also whether said user is actually logged in (for those pages that require the user to be logged in to view them). Now, let's say I notice a user misbehaving and I want to kick him/her off or deactivate the user's account, if I stored the login state in the database I would just change the value of in the user's record but since it's in a session variable, how would I go about getting that particular user's session to modify it? I don't want to have to do a database query during every page load to see if an admin has deactivated the account. The only solution I have in my head right now is to manually modify the session file in the temporary directory which is pretty inefficient and hard.

Edited by LittleJoe
Link to post
Share on other sites

PHP Session VariablesWhen you are working with an application, you open it, do some changes and then you close it. This is much like a Session. The computer knows who you are. It knows when you start the application and when you end. But on the internet there is one problem: the web server does not know who you are and what you do because the HTTP address doesn't maintain state.A PHP session solves this problem by allowing you to store user information on the server for later use (i.e. username, shopping items, etc). However, session information is temporary and will be deleted after the user has left the website. If you need a permanent storage you may want to store the data in a database.Sessions work by creating a unique id (UID) for each visitor and store variables based on this UID. The UID is either stored in a cookie or is propagated in the URL.

Link to post
Share on other sites

just mark the user in session variable. like $_SESSION['kicked']=true. Where the user will interact and you want to keep kicked user away. check that session variable in those pages.

Link to post
Share on other sites
just mark the user in session variable. like $_SESSION['kicked']=true. Where the user will interact and you want to keep kicked user away. check that session variable in those pages.
The problem with that is that if the value changes in the database while the user is still browsing the site, the value in the session won't change until another query to the database is made.
Link to post
Share on other sites

I think birbal means to say.... check kicked status on every page. edit the database with a kicked status and do a sql query and set session accordingly

if ($_SESSION['kicked'] == 'true'){echo 'acces denied'; //or somethingDIE;}

Sessions do not store data permanent..... DB check is a good way to go. but that was not what you wanted.... Maybe there is a way to search the file where session data is stored and alter that....if that is what you mean. >>http://us.php.net/manual/en/session.configuration.php#ini.session.save-path

Edited by Rollins
Link to post
Share on other sites

One way would be to use session_set_save_handler to use custom functions to save your session data in the database instead of the default file storage. You can save additional information in the session database like the user ID, and when you want to deactivate a session for a user then you would just search through that table for the session for that user and delete it.

Link to post
Share on other sites

Well if I'm forced to query the DB on every page then I suppose that's what I must do but I just wanted to see if I could just a session somehow to do it instead and alter the session automatically for that user because I always hear that you should do as few queries to the DB as possible and use sessions instead and doing a query on every page does sound DB consuming.

Link to post
Share on other sites

another way could be use APC. APC use shared memory so it is faster and persist between request. as your data is temporary (assuming it is not so vital like kicking user for some time) it would get the job done. Remember if server restarts or cache cleared it will lost its data. you can make an array. you will push the id of the kicked user in the array. and serialize and desirialize back and forth in APC cache. after that it would be easy to check if current user is in kick list or not. You can have database and apc together too to maintain data consistency and performance. it is common practise to use APC cache to share the load of database.

Edited by birbal
  • Like 1
Link to post
Share on other sites
another way could be use APC.
I prefer Memcached because you can store arrays and objets and don't need to serialize/unserialize (which is slow). Basically, to sum it up, you would store all your banned users in a database table, and only query it if Memcached or APC has nothing stored. This way you would only query the database once in a while.
$cache = new Memcached(....); if (!$bannedUsers = $cache->get('banned_users')){	$bannedUsers = /* fetch users from database */;	$cache->set('banned_users', $bannedUsers, 3600 * 24);} if (in_array($_SESSION['userid'], $bannedUsers)){	// banned}

You could either flush the cache every time you ban a new user, or you can set the expiration date to something like one minute so it would automatically refresh. Also keep in mind that this table can grow with the time, and you may be loading a lot of IDs into the memory. I would add a time stamp and only load newer IDs, and prevent old IDs, whose sessions expired anyway, from logging in in the first place.

Link to post
Share on other sites

memcache is suitable for distributed system like where you have to maintain cache for different server. Memcache is server it uses network protocol to talk with php, in general accessing network protocol is slower than direct memory acceess. and also memcache uses serialization internally for other than primitive data type.

Link to post
Share on other sites

Installing memcached or redis on the web server won't present any performance problems, there's going to be a small amount of network overhead (even though the server is talking to itself), but much less disk latency. MySQL also uses the same network overhead, so the difference between MySQL and memcached or redis is that the latter 2 don't necessarily require disk access, which is the major source of latency for MySQL in general. memcached or redis would be faster to access than MySQL, but shared memory would be faster than either. Just make sure to give your values a good TTL value, don't set it to 0.

Link to post
Share on other sites

If it's shared hosting then I doubt they would make APC available, and you probably also wouldn't have access to the session files. You would need to use a database, even if it's memcached or redis (if they have something like that installed).

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...