Logout from all session

Question

I have a option for logout and here is my code:

session_start();

session_destroy();

setcookie("key","",time()-60*60*24);

setcookie("username","",time()-60*60*24);

I want to add another option to logout from all session ( on another device ) for example if user change his password, all session for this user be clear and logout from all.

How can I edit all session on all devices? Can I store session id to database, and change data with session key ? ( not current user )

Answer 1

The php has command to destroy all sessions by using the following command:

ini_set('session.gc_max_lifetime', 0);
ini_set('session.gc_probability', 1);
ini_set('session.gc_divisor', 1);

The first line is used to fix the session's lifetime value equal to 0 second. Then, the probability is set to 100% cleaned up.

If you need the destroy a particular user, you can add the following instructions to your session handler:

if ($_SESSION['username'] == 'user to delete') {
     session_destroy();
 }

Answer 2

Best bet here would be to create your own database base session handler.

You will have a lot of control over what you can do with the sessions then. There is a good but dated article here that shows an example of how that can be done.

Answer 3

You can add a datetime field to the user table called session_expires_at. At every pageload, compare the current date/time with session_expires_at. If it's expired, log them out. When the user clicks on "logout from all session", simply set that field to now().

You can not force a page to change from the server side without some heartbeat (ajax or socket.io type thing). It will have to happen on page loads.