I’m trying to do the following : let’s say that a logged-in admin user wants to force another logged-in user to logout out imediatly (kick him). The admin is not a rude person, and he would like to inform the kicked-user why he was kicked.
What would be the best solution to implement this ‘polite kick’ feature ?
I could implement the ‘kick’ part with no problem :
add a user_id column in the session table
select the correct row and just delete it from de session table : user will be logged-off !
My problem is with the ‘gentle’ part, or in other words, how to set a flash message to the kicked user ? Is it possible to inject a flash message directly into the session row of the user to be kicked ? I tried to decode/unserialize session data read from the session table, modify and update them, but up to now with no success…
The user is no longer on site since it should be logged out so no messsages on a missing user_id. The answer is using a method which triggers the logout (we haven’t figured out a way to kick a specific member out yet) and, after kicking him out assigning him a flash message. I’m not sure either if you can assign flash message to a given session id but this could be a very good implementation as it’s obvious that is needed since we’re two already just today asking the same question.
@Backslider : yes, this is a solution I thought about, but in my case, implemeting such a system only to be able to handle the “you’ve been kicked message” is too much. This would imply to create something like a system_message table , not refering to user by their id, but to logged-in users by their session id …
By doing so, you would not disconnect the kicked user, but the admin user who is performing the action.
@manilodisan : I read your post and I don’t know what’s the problem but I can garantee you that when I delete the session row for a logged-in user, this user is immediatly logged off. The session is recreated, but as a not-logged-in user. Here is how I initialize the session component :
Reading this thread I had a thought about extending writeSession() and readSession() for storing custom fields like message (or message FK) and “logout pending”. I the latter is set, display the message and kick out the user. Don’t know if it’s doable.
I would create a table for the admin action, then on the user side check that table. If the user_id is in the table, then perform the message/kick action for the user. Again, very simple. Why is that "too much"?
you’re right, I would do the same, and eventually I will.
My question was more some kind of technical curiosity : if it would be possible to modify DB session data for any user so the user gets logged-off with a flash message, then no need for additional table. I mean session data are here, in the DB session table !! … if only I could use them !
Maybe I’m wrong, but if so, I’m interested to know why.
Create a table when we have a sessions table for that? This adds one extra query to look up for an action which is only there very rarely (when the user is kicked by admin). The query is performed in the sessions table so you only need to look for a hook and if it’s present, log the member out.
I’m extending CDbHttpSession with a new class, added a row in the session’s table called ‘killed’ which gets the value of 1 when the admin kills a user session and, on the writeSession function of CDbHttpSession I select the killed value as well. If it’s 1 I log the member out calling Yii::app ()->user->logout (). So far so good, it doesn’t works. I can’t find a way to log a member out.
There is no "extra query". We place the hook in our new table (or your sessions table if you are needlessly querying that with every page). If the hook is there, log the user out with a redirect to your message page (if you like).
I’ve added a user_id FK to session table and create an AR for session. Admin can get a list of all logged-in user, and to kick one of them, just delete his row in the session table : user is kicked ! … but of course in this scenario, no flash message can be sent to the kicked user as the session is deleted…so the problem remains
I still don’t understand the problem. If the “logout pending” is conveyed (e.g. in an extended db session) to the next user request I guess it shouldn’t be any problem to show the message and call logout() or delete the session record. The user may have to resend the request (I don’t know).