Social Networking - Admin disabling other users session or some other Option

I am building my own social networking site and

Here is the case

if a user is spamming or doing some non ethical things , I can ban him using admin option . To ban that user , I am updating his record in the database , so he can not login to the site next time . But in addition to开发者_Python百科 that , I want to disable even his current session and should not allow any other operation . Could some one tell me how to disable users session ? I mean "admin" user disabling "user's" session ( one user other users session )

or any other ideas?

Thanks a lot for your help

Kiran

If you're not storing your sessions in the database, you'd need to get the user's session ID and delete the corresponding session file so their session is killed. To do this, you'd need to store the ID of the user's session in the database when they log in. Assuming a relatively standard file-based session setup, something like this might do the trick:

$user_session_id = '...';
$file = glob(session_save_path() . '/*' . $user_session_id . '*');
unlink($file[0]);

Doing this from within your admin pages whenever the 'banned' flag is set to true will then nuke the user's session. This logs them out automatically. And on next login, you can present the "you're banned" message.

If you're tracking a user's sessions in a somewhat systematic fashion, e.g. in a database, then you could just search for all the user's open sessions and remove the server-side session data. That way the user would no longer be considered "logged in" next time he reloads a page.

You will probably have to define your own session handler for this to work, though (or use an existing framework). Otherwise by default you just have a ton of session* files on your disk and you may not easily be able to figure out which one belongs to which user.

Before you allow the spammer access to any of the pages, use the user's session data to check to see if they have the disabled flag in the db, if so, then destroy the session and route them to a non protected page (login or home).

The only issue is that you are doing a db lookup on every page that is protected.

If you tracking the user session with username, then you can ban him with session. Ofcourse you know what to do in the db, I guess