Reputation: 424
I want to logged out a user from all browser when he change his current password. I have put the code into my controller function after saving the new passowrd into database:
$session = Yii::$app->session;
unset($session['id']);
unset($session['timestamp']);
$session->destroy();
It works only for the browser from where I changed my password. but not for all browser.
I have checked the session variable - $session['id']
is exists or not. I can see it exists in other browser even after I change my password from different browser.
Upvotes: 6
Views: 3205
Reputation: 518
1- On changing password you should to set new auth_key.
2- Change \common\model\User
public static function findIdentity($id) {
if(Yii::$app->getRequest()->getCookies()->has('_identity')){
$cookie = json_decode(Yii::$app->getRequest()->getCookies()>get('_identity'),true);
return static::findOne(['id' => $id, 'auth_key' => $cookie[1], 'status' => self::STATUS_ACTIVE]);
}
}
"_identity" is name you before did set identityCookie in main config
Upvotes: 0
Reputation: 403
Related issue @github/yii2:
User stays authorized despite auth key is changed #9718: https://github.com/yiisoft/yii2/issues/9718
Upvotes: 1
Reputation: 9358
It's certainly possible, using session_id
. When the user logs in somewhere else, you can do this step before starting a new session for the new login:
// The hard part: find out what $old_session_id is
$session = Yii::$app->session;
unset($session['old_id']);
unset($session['timestamp']);
$session->destroy();
// Now proceed to create a new session for the new login
This will destroy the old session on the server side, so when the other computer accesses your application again it will try to access a non-existent session and a new one will be created for it (in which the user is not logged in anymore).
The hard part is finding out what is the ID of the "old" session. There's no one-size-fits-all way of doing that; you need to have some mechanism in place to be able to tell that the session with id XXX belongs to the same user who is logging in now. If you are using database sessions this should be easy enough.
I can imagine you could do this by using your own session handling. If you store you sessions in database.
Upvotes: 0