Delete Customer Session from Admin – Magento Guide

customer-sessionmagento-enterprisesession

I have been working on a site that requires users to be logged in and approved before they can access the website. That element works fine, except if as an administrator I edit the customer's account to revoke their access.

Refreshing the page as that (already logged in) customer, I expect to be logged out and redirected to the login page. Instead, I am able to continue to remain logged in.

I have been looking for a way to try and programatically (on save of customer) to log that customer out.

$session = Mage::getSingleton('customer/session');
$session->loginById($customer->getId());

// Log Out the customer.
$session->logout();

This I have been trying to use, unfortunately, instead of logging out the customer, it logs me out from the admin instead.

So it seems that I need to have something like $customer->getSessionId() and load the session from that, but that doesn't seem to exist as a route.

As an alternative work around, I expect it might be possible to override the session itself on reinitialise on the customer view, but this feels like it might be unnecessarily convoluted.

Best Answer

In the end the solution that was deemed suitable for my requirements has been to validate the user on the front end request. When the user account has been logged in, we check to see if the account is still enabled, if its not log them out from their own session and redirect to login page.

Related Solutions

Magento – Can / Should I Use The Admin Session in Frontend

Let's assume you can get access to the admin session in the frontend, I don't think there will be any issues. Just make sure that you wrap the code (actions or display) around something like this:

if (getTheAdminSession()->getUser()){//getTheAdminSession() is just a placeholder for the admin session getter
   //code or output here
}

If you have this and the admin is not logged in then there should not be any issues (in theory). Those pieces of code will be skipped.
Now the hard part. I'm not sure how it's possible to gain access to the admin session from the back-end since Magento creates 2 different cookies for them. Maybe read the cookie with the name 'adminhtml' and try to initiate the session with that value. But this will become impossible if the admin is on a separate domain. (I know it usually isn't but it may be).
If you do a simple:

Mage::getSingleton('admin/session')

on the frontend, the object created from this code will be appended to the session file of the frontend(I only tested with session in files). The admin session file will not be touched. Your session file will looke something like this:

core|a:5:{..}admin|a:2:{...}

Magento 1.8 – customer/session isLoggedIn() Returns False: Fix Guide

So I found out the problem with the customer session was that I was instantiating my own custom session way to early. As I learned from this article by Alan Storm, instantiating sessions too early can break session storage, so different pages where accessing different sessions. That's why sometimes I didn't get the correct customer session data.

I was trying to use a session object in a custom router and found it's a big NO. I changed my router code to instead set a POST param to pass on my value and then store it to the session later on in the process.

P.S. My custom session is still buggy, since it appears its data is only accessible in the page request that set it and not any other subsequent requests, but the customer session is okay now so that's half the problem gone.

Related Topic

Magento2 – Using Another Logged-In User’s Session