Login/Register
Yii2: logout from all browser after a user change password
Asked Answered
Solved phpsessionyii2change-password
S

3

6

I want to logged out a user from all browser when he change his current password. I have put the code into my controller function after saving the new passowrd into database:

$session = Yii::$app->session;
unset($session['id']);
unset($session['timestamp']);
$session->destroy();

It works only for the browser from where I changed my password. but not for all browser. I have checked the session variable - $session['id'] is exists or not. I can see it exists in other browser even after I change my password from different browser.

Strutting answered 23/9, 2015 at 8:5 Comment(0)
P
0

It's certainly possible, using session_id. When the user logs in somewhere else, you can do this step before starting a new session for the new login:

// The hard part: find out what $old_session_id is
    $session = Yii::$app->session;
    unset($session['old_id']);
    unset($session['timestamp']);
    $session->destroy();


// Now proceed to create a new session for the new login

This will destroy the old session on the server side, so when the other computer accesses your application again it will try to access a non-existent session and a new one will be created for it (in which the user is not logged in anymore).

The hard part is finding out what is the ID of the "old" session. There's no one-size-fits-all way of doing that; you need to have some mechanism in place to be able to tell that the session with id XXX belongs to the same user who is logging in now. If you are using database sessions this should be easy enough.

I can imagine you could do this by using your own session handling. If you store you sessions in database.

Psi answered 23/9, 2015 at 8:22 Comment(0)
I
1

Related issue @github/yii2:

User stays authorized despite auth key is changed #9718: https://github.com/yiisoft/yii2/issues/9718

Ingratiate answered 23/9, 2015 at 10:16 Comment(0)
P
0

It's certainly possible, using session_id. When the user logs in somewhere else, you can do this step before starting a new session for the new login:

// The hard part: find out what $old_session_id is
    $session = Yii::$app->session;
    unset($session['old_id']);
    unset($session['timestamp']);
    $session->destroy();


// Now proceed to create a new session for the new login

This will destroy the old session on the server side, so when the other computer accesses your application again it will try to access a non-existent session and a new one will be created for it (in which the user is not logged in anymore).

The hard part is finding out what is the ID of the "old" session. There's no one-size-fits-all way of doing that; you need to have some mechanism in place to be able to tell that the session with id XXX belongs to the same user who is logging in now. If you are using database sessions this should be easy enough.

I can imagine you could do this by using your own session handling. If you store you sessions in database.

Psi answered 23/9, 2015 at 8:22 Comment(0)
S
0

1- On changing password you should to set new auth_key.

2- Change \common\model\User

public static function findIdentity($id) {
    if(Yii::$app->getRequest()->getCookies()->has('_identity')){
        $cookie = json_decode(Yii::$app->getRequest()->getCookies()>get('_identity'),true);
        return static::findOne(['id' => $id, 'auth_key' => $cookie[1], 'status' => self::STATUS_ACTIVE]);
    }
}

"_identity" is name you before did set identityCookie in main config

Staphylo answered 14/8, 2020 at 22:19 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.