Why don’t you change your auth method to check for logged == false also? (where logged is a 0/1 flag for each user and you set it to 1 to each login and 0 to each logout)
I would do this with an accessFilter. Put your login page in the guest auth portion. That way if they try to go to the login page while logged in, they’ll be redirected back to the index.
Use CDbHttpSession, you can extend it so that there’s a field for the user id. In CWebUser::afterLogin (you can test if it’s autologin from cookie via $fromCookie) you can execute a delete command:
Yii::app()->db->createCommand("DELETE FROM `session_table` WHERE `id` != :session_id AND `user_id` = :user_id")->execute(array(':session_id' => Yii::app()->session->sessionID, ':user_id' => $this->id));
Thanks for the answer Y!!. Your solution works, but only when a user does not have autologin option enabled. Otherwise, when I delete the corresponding row from the session table, a user’s session will automatically renew on the next page refresh. I gotta figure out how to mark a user’s cookie as invalid
I found this thread in the forum and I have a question concerning the problem. Is it possible to inform the user, for which I destroyed the session with the delete statement, that he got logged out?
There must be a place in the application where the session is checked, or if the user is logged in. Probably that would be the best place to put that code, but I don’t know where this is…