i have this question. My website is build whereby a user can only be in the member’s page if he has login. therefore every page has this,
if (!$_SESSION’userid’) header index.php
Problem is that if i ban the user and the user did not end the session, he will still be allowed to use the site until he end the session and try to login again, and he will be denied due to the change in the status in the database.
I’m thinking that the only way is to delete the physical session file in the server, but i dont know how. Anyone?
What I have done is create a database query in a header file that is included in every page that either pulls the users profile or checks to see if they were banned. If so then I destroy their session.
What you need to do is add in your ajax post the user id, or some other information to identify the specific user posting. This way you can check on the server side if the user is allowed to post with each post, and if not take the necessary action.
Unless you’re using the multi-level directory save method, something like this would probably be enough:
unlink(ini_get('session.save_path') . 'sess_' . $bannedSessionID));
check that your server’s session files have the ‘sess_’ prefix, though. It could possibly be overridden somewhere. But in any case, by default all the session files are in a single directory (/tmp unless they’ve been moved) and can be opened/read/written/deleted by the webserver (as they have to be)