2

I have a PHP web application running on a Linux server. It is accessed via a browser.

It uses PHP sessions to store the user's login state and userid. I need to log out all users.

I have root access, and am attempting to destroy all the PHP sessions forcing all users to log in again.

I've deleted all the sess_XXX files stored in /tmp/ and when I return to the webapp I am still logged in, and the session file is recreated in /tmp/ and all my details are still intact - using the same values as previously suggesting the session data is still being stored somewhere.

There's no "caching mechanism" that I know of, other than the PHP session files caching the user's data.

I've tried altering the PHP session name and then deleting the session files, but I'm still logged in. Examining the sess_XXX files shows identical information even after the session file is deleted, and then recreated by visiting the application again in the web browser. This information is not stored in the users browser, so it must be being retrieved from the session.

Anyone know how can I really destroy the sessions and force users to log out?

Hippyjim
  • 191
  • 2
  • 6
  • 19
  • This is entirely application-specific. – Michael Hampton Mar 01 '16 at 22:03
  • I need more information about the app. Are you accessing through a browser? What happens with curl? Do you get a login prompt/page from the command line? Are you using a caching mechanism? – Ligemer Mar 01 '16 at 22:03
  • when theres some kind of persistent session that may create an active session out of a stored cookie clearing php sessions will never log out all clients out (in case a php session is required for active user sessions to be identified). – Daniel Nachtrub Mar 01 '16 at 22:22
  • Thanks Daniel - but the cookie is surely only storing the ID of the session, not all the internal server side data as well? – Hippyjim Mar 01 '16 at 22:24

1 Answers1

1

We ran through the same issue and we decided to create a maintenance page. As the code verifies that the user is logged in, we built up a code in the login verification process that checks if the maintenance mode is on, forcing all users to log in again.

We risk to have users that are idle at that moment. In these cases, we used the information stored in the Session Cookie, forcing session closure to all users with a timestamp anterior to the one in which the maintenance mode. Instead of the timestamp you could use any custom data that is stored in the cookie (user group, user role, user id) to be more precise and focus on a specific range of users.

Jordi Pérez
  • 11
  • 1