[El Forum]

[eluser]elverion[/eluser]
I've already got all the code in place to handle users logging in and out using CI sessions and inserting all session data into the database. Now, I want to be able to forcefully log out (just remove the userdata section) any other sessions using that same user ID. I think this would help to improve the security.

Thing is, I'm not entirely sure how I should go about doing this. What do you recommend?

[El Forum]

[eluser]boxyee[/eluser]
I've done something similar. In my case I create a hash in the users session and the same one in the database. In the is_logged_in function, I can check whether the two match. If not redirect to the sign in form.

Maybe not the best solution, but it works well.

[El Forum]

[eluser]elverion[/eluser]
That could work, but still seems a little half-assed. Thanks for the input, though. I'll wait for any other ideas before I decide what to do.

[El Forum]

[eluser]intractve[/eluser]
Plus points on your respect to someone trying to help.

The idea isn't "half-assed", it's a perfectly good idea. I have a similar setup running in more than 15 implementations of various apps I maintain.

Use database sessions and add a login_hash (a sha1 encoded random string in my case) and a corresponding login_hash in the user_login table.
When someone logs in I update the login hash in the user_login table and the corresponding session and then do a kick_others() that will delete any entries in the session table that do not have a corresponding hash in the user_login table. It's quite simple actually and I'm able to make it work quite well for me.

[El Forum]

[eluser]elverion[/eluser]

Plus points on your respect to someone trying to help.

I'm not sure if that was meant to be sarcastic or not.

The idea isn’t “half-assed”, it’s a perfectly good idea.

I wasn't saying it was a bad idea, only that it was sort of hackish and works around the issue rather than addressing it directly. I would still prefer a simple way of deleting sessions where a specific user_data matches some value (ie. userid) that doesn't require looping through all sessions in the database.

[El Forum]

[eluser]intractve[/eluser]
[quote author="elverion" date="1297410689"]
I wasn't saying it was a bad idea, only that it was sort of hackish and works around the issue rather than addressing it directly. I would still prefer a simple way of deleting sessions where a specific user_data matches some value (ie. userid) that doesn't require looping through all sessions in the database.[/quote]

I am not touching any of the core code, not extending a class or library, so how is it hack-ish? Plus there is no issue, CodeIgniter does not have an auth library, so by your definition everything is hacked on right now.

There is no simple way around it. There will be loops, there will be database calls in any method you choose to use whether this one or some other. FYI there is no loop in my method. It's a single SQL call to delete entries that have no corresponding entries in the user table.

You will not face performance issues with the method I used because it's being called only on login and no other time. You may need a different method if you are going to checking this on every action the user makes. Then you'll have to worry about performance.

[El Forum]

[eluser]Jaketoolson[/eluser]
The 'hash' method is the same one I've been using since 2004 on all sites requiring an authentication system. I've added a few other security checks to this as on most sites I only allow one login instance from the user at a time. This is so that users who have purchased our product/services don't give their information to others because if they did and someone else logged in with their credentials it would log them out... so it creates a huge nuisance on their end really (which is what I want - a deterrent)