PHP SESSIONS Check if user is still in database, while logged in

Question

Let's say the User named Michael is registered, and is in our database in table named users.

Michael browses my site, and while he does so, I delete his user from the table. My login system works with sessions.

After user Michael was deleted from the database, the browser can browse the website with "Michael" until the session ends.

That's because after the session processes, it doesn't change unless you check every time.

My solution that may increase a huge engine load because of too many queries / requests:

In session.inc.php add a checker:

if (isset($_SESSION['user']))
{
    $check = $pdo->prepare("SELECT * FROM users WHERE user_name = :user")
    $check->execute(array( ":user" => $_SESSION['user']));

    if (!$check->rowCount())
    {
        session_destroy();
    }
}

It will check if theres a row with the exact same username he is logged in currently with the session, if not, it will destroy the session.

Question:

Will that solution cause a large engine load, if my website gets many browsing users?

Is there a better method of doing this?

user name should be unique hence no need for the limit clause. — Sebas
– Sebas, Commented Apr 21, 2013 at 13:15
For this check, SELECT COUNT(*) FROM users WHERE user_name = :user should be enough. Faster than fetching all data. — Gabor Garami
– Gabor Garami, Commented Apr 21, 2013 at 13:20

Gajus · Accepted Answer · 2014-02-24 01:12:23Z

3

When you delete a row from "users" table just delete or expire the session of that user.

edited Feb 24, 2014 at 1:12

Gajus

74.7k81 gold badges301 silver badges479 bronze badges

answered Apr 21, 2013 at 13:15

Ayush Pandey

1687 bronze badges

Sign up to request clarification or add additional context in comments.

1 Comment

user1761494 Over a year ago

So when I delete a user from an admin panel, I can simply do Destory_session($username); ?

Abhishek Salian · Accepted Answer · 2013-04-21 14:54:00Z

0

Ayush - How are you going to destroy someone else's session?

user1761494 - The best method is to save sessions in database, this not only adds security to your website, also gives you full control over sessions. when you kick a user out (delete/ban) just delete the session record for that user along with it.

answered Apr 21, 2013 at 14:54

Abhishek Salian

9342 gold badges10 silver badges28 bronze badges

1 Comment

Ayush Pandey Over a year ago

earlier i had assumed that there was a field in database for session and whenever he deletes session firstly, he sets that filed inactive then deletes it....

Collectives™ on Stack Overflow

PHP SESSIONS Check if user is still in database, while logged in

2 Answers 2

1 Comment

1 Comment

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

2 Answers 2

1 Comment

1 Comment

Your Answer

Sign up or log in

Post as a guest

Related