Updated Answer
You've provided helpful details in your comments:
When an user changes his password, I need to logout his account from
all other his devices.
Your question is essentially how to implement single login/logout across devices if you're using sessions.
Here is a simple approach:
- User logs in, you set
userID
and lastSeen
in session. lastSeen
holds a timestamp. Save no info in session that the user can change.
- User logs into another device, you set
userID
and lastSeen
in that session
- Sessions across devices are always in sync (except for
lastSeen
) because they only hold non-changing data (userID, userName)
- In your DB, have a
logout
table with columns userID
requestTime
- If a user logs out, changes her password or does anything else that should require a re-login, call
session_destroy()
and add an entry in logout
table
- When user tries to access restricted page, you check:
- Does
$_SESSION['userID']
exist (means user logged in at some point)
- Is
lastSeen
within the last 30 minutes (otherwise, call session_destroy()
and request another login)
- Is there a logout request with the user's ID in
logout
and with requestTime > lastSeen
(means since we last saw the user, she requested to be logged out from another device). If so, session_destroy()
and require another login.
Original Answer
Sessions are handled in isolation. When a request arrives, the $_SESSION
data for just that user is loaded in memory. So if userID 5 makes a request, you do not have access to the session data for user 7 (without some hacks).
If you want to unset the current user's session, whoever that user may be, you can do one of the following:
session_destroy(); //clears everything for the current user
unset($_SESSION['login']);// clears just this variable for the current user
If from one user's browsing session, you want to mess with another user: I don't see the use case. Sounds like it would have negative security implications, and it makes me question your greater architecture. It defeats the whole purpose of sessions: to provide each user an isolated, persistent storage locker on the server.
Anyway, to change a random user's session data from another user's browsing activity (again, why?), use a database to save and retrieve values instead. A table could be as simple as:
userID | sessionData | sessionExpires
You could store session data in JSON with json_encode
and retrieve it with json_decode
for any specific user, from any browsing session.