php – Codeigniter: how to remove a session from a post request coming from a different client-ThrowExceptions

Exception or error:

This is the use case:

  1. a hacker login to a web site private pages of another user (“the correct user”) using his/her pw
  2. the correct user, without logging-in, changes its password using the “forget password” function
  3. the hacker never log out and his session stay on because he still has the credential as a session data in his browser

What I would like to do is this: once the correct user changes his/her pw the session of the hacker is destroyed by the reset password user function. But the correct user browser has not any reference to the session id/code of the hacker ones so if it is run the function session_destroy() this does not affect the hacker session, just the correct user one. But, since some unique ids linked to the user account are set as session data, it is theoretically possible to identify the session having that field valorized to the correct user id and erase the session itself. The problem is how to do it, does Codeigniter have any function to find a session saved on the server searching for its field values? Currently, I use the default way to keep track of the sessions, so on disk.

How to solve:

Leave a Reply

Your email address will not be published. Required fields are marked *