Could I kill all users logged in sessions ?

[adrianmak]

I put a site settings toggle to turn on/off for front-end user login

if it is on, the login form will not show and with a message something like "Site under maintenance. User login is temporary closed"

I found that is a user is already login and visit those restricted area (required user log-in), and I turn off user login,

those logged in users are still able to visit the restricted area.

How (possible?) do I kill all logged in users' session ?

[DaveP]

Looking at the cheatsheet, there is a $session->getAll() which returns an array which you could foreach() and $session->remove($name).

Probably.

[LostKobrakai]

session->getAll() does return all session variables, but not sessions. Forcefully logging users out can be done by removing their session files / db entries or by implementing a bit of code into the processwire bootstrap, which checks if a user should be logged out forcefully and redirect right afterwards.

[tpr]

Changing the salt won't kill'em all?

[LostKobrakai]

Changing the salt won't do anything because the salt is only needed to compare passwords with their db value, which does only happen on login and not for active sessions.

[szabesz]

So changing the salt is good for locking out everyone... Or at least to force them to reset their passwords if they are allowed to do so in the first place.

[adrian]

You could maybe hook into PageRender::renderPage ?

Take a look at the ForcePasswordChange module: https://github.com/adrianbj/PasswordForceChange/blob/master/PasswordForceChange.module#L57 and the method that is called: https://github.com/adrianbj/PasswordForceChange/blob/master/PasswordForceChange.module#L87

Taking that approach you can prevent them from viewing the restricted pages even if they are logged in.