How can I unset the session of a specific user?

Question

I have a session like this $_SESSION['login'] and when it is equal with 1, it means the use is logged into my website:

if ( $_SESSION['login'] == 1 ) {
    // You are logged
} else {
    // login/register
}

Also I have another session which contains user's id. Something like this:

echo $_SESSION["Id"]; 
/* It is containing the user's id (an integer number).
   Something like: 234124
*/

Now I want to unset $_SESSION['login'] for the user who has a specific id. For example I want to unset($_SESSION['login']) for $_SESSION["Id"] = 234124. How can I do that?

---

Edit: All I'm trying to do: When an user changes his password, I remove all his cookies from cookies table to sign him out from all his other devices. Also I want to remove his session.

Answer 1

Updated Answer

You've provided helpful details in your comments:

When an user changes his password, I need to logout his account from all other his devices.

Your question is essentially how to implement single login/logout across devices if you're using sessions.

Here is a simple approach:

1. User logs in, you set userID and lastSeen in session. lastSeen holds a timestamp. Save no info in session that the user can change.
2. User logs into another device, you set userID and lastSeen in that session
3. Sessions across devices are always in sync (except for lastSeen) because they only hold non-changing data (userID, userName)
4. In your DB, have a logout table with columns userID requestTime
5. If a user logs out, changes her password or does anything else that should require a re-login, call session_destroy() and add an entry in logout table
6. When user tries to access restricted page, you check:
   • Does $_SESSION['userID'] exist (means user logged in at some point)
   • Is lastSeen within the last 30 minutes (otherwise, call session_destroy() and request another login)
   • Is there a logout request with the user's ID in logout and with requestTime > lastSeen (means since we last saw the user, she requested to be logged out from another device). If so, session_destroy() and require another login.

Original Answer

Sessions are handled in isolation. When a request arrives, the $_SESSION data for just that user is loaded in memory. So if userID 5 makes a request, you do not have access to the session data for user 7 (without some hacks).

If you want to unset the current user's session, whoever that user may be, you can do one of the following:

session_destroy(); //clears everything for the current user
unset($_SESSION['login']);// clears just this variable for the current user

If from one user's browsing session, you want to mess with another user: I don't see the use case. Sounds like it would have negative security implications, and it makes me question your greater architecture. It defeats the whole purpose of sessions: to provide each user an isolated, persistent storage locker on the server.

Anyway, to change a random user's session data from another user's browsing activity (again, why?), use a database to save and retrieve values instead. A table could be as simple as:

userID | sessionData | sessionExpires

You could store session data in JSON with json_encode and retrieve it with json_decode for any specific user, from any browsing session.

Answer 2

it will remove all session variables and destroy the all session you created.

<?php
//start session
session_start();
// remove all session variables
session_unset(); 
// destroy the session 
session_destroy(); 
?>

Answer 3

if ( $_SESSION['login'] == 1 ) {
 if ( $_SESSION["Id"] == 234124 ) {
       session_destroy();   
       session_unset(); 
 }
} else {
  // login/register
}

Answer 4

use session_destroy();

It destroys all of the data associated with the current session. So only intended user's(who clicked logout or in your case who changed password) session data will be removed.

Check this to know more.