Destroy all sessions from specific User

Question

I'm using Codeigniter 3 for my application and for higher security I want to provide the Users an option to destroy all his sessions.

Why? Because the User could have multiple active sessions when he's logged in on different devices. If one device or Account gets hijacked, the user should have the possibility to destroy all his active sessions and the hijacked account / device is forced to logout by the CI Application.

With Codeigniter and the sess_time_to_update config it is not that easy. Because after specific time, the session will be regeneretad with a new session ID.

Destroying a specific session in Code Igniter is only the half of the solution, because on session regeneration, the user ID column will not be filled with the user ID.

The objective in short: CI needs a function to find all sessions based on a user ID or how can we add the User ID to sessions after its automatically being regenerated by sess_time_to_update config

Thank you for your hints and help

Answer 1

Ideally, you would want to create the custom function yourself. codeignighter is like bootstrap in a way as codeignighter is php and bootstrap is css. simple php code, yes it is handy to have php functions in a library, but most php coders do that anyways. I personally don't share my custom function names because its a security risk. But also keeping sessions alive too long is a security risk too. For each user connect, there is a session cookie in the $_SERVER array. What you would need to do is to come up with storing these cookies in a db table and then move those cookie entries to a deletion cue (which would be another table) then use Java to invoke a command (at time intervals) to see if the cookie is in the deletion cue, If so It will unset the cookie by the command:

setcookie("PHPSESSID","",time()-3600,"/");
////then kick them out:  
session_destroy();
 header('Location: index.php');

 exit();

On one of my systems, I came up with a different cookie system, its based off the connection and other client variables. If it doesn't see any of the checks (cookie, IP address, client host name and some others) parsed from there it will add the ip address mismatched to a table (for admin audit) and then adds that ip address to the deny ip addresses in the firewall, then redirects them to the FBI website. I also on that web server I run a special code in the apache config that it will not accept vpn connections so that those hackers that think they can hide behind a vpn, they can't even access the server (there web browser times out. LOL)