I have a PHP web application running on a Linux server. It is accessed via a browser.
It uses PHP sessions to store the user's login state and userid. I need to log out all users.
I have root access, and am attempting to destroy all the PHP sessions forcing all users to log in again.
I've deleted all the sess_XXX files stored in /tmp/ and when I return to the webapp I am still logged in, and the session file is recreated in /tmp/ and all my details are still intact – using the same values as previously suggesting the session data is still being stored somewhere.
There's no "caching mechanism" that I know of, other than the PHP session files caching the user's data.
I've tried altering the PHP session name and then deleting the session files, but I'm still logged in. Examining the sess_XXX files shows identical information even after the session file is deleted, and then recreated by visiting the application again in the web browser. This information is not stored in the users browser, so it must be being retrieved from the session.
Anyone know how can I really destroy the sessions and force users to log out?
Best Answer
We ran through the same issue and we decided to create a maintenance page. As the code verifies that the user is logged in, we built up a code in the login verification process that checks if the maintenance mode is on, forcing all users to log in again.
We risk to have users that are idle at that moment. In these cases, we used the information stored in the Session Cookie, forcing session closure to all users with a timestamp anterior to the one in which the maintenance mode. Instead of the timestamp you could use any custom data that is stored in the cookie (user group, user role, user id) to be more precise and focus on a specific range of users.