Posted by frizzle on 06/14/17 11:39

Gleep wrote:
> I've searched google intensely on this topic and it seems noone really knows how to approch this.
>
> The goal I don't want clients to give out their usernames and passwords to friends, since the site
> relies on subscrption fees.
>
> Sessions ID's are matched between the browser and the server. So a users can login with same
> username and password and those sessions are tracked individually.
>
> Some suggest create table fields with the session ID and a time stamp. However my clients can spend
> alot of time on a page and I don't want to force them to re-login, would be annoying.
>
> On the other hand, some clients do not logout properly and sessions open active and/or a script that
> runs the timestamp does not clear that field. Then the next they login the stamp reads that they are
> active and will not allow them to login.
>
> I'm an experienced PHP programmer yet this task has got me going in circles. Everytime I think I
> have a method worked out - there is a reason why it won't.
>
> The approach I'm considering now is to grab and loop all the server sessions username values - then
> compare those values to a flaged "logged-in" field from the user table. That way if a flag is
> negative I will allow the user to login in and create a session and flag that field. If a session
> does not exist then the flag is cleared. I would run the cron 10 minute intervals. If I find 2
> sessions with same username I unset both - then fire off an email to the client reminding them
> multiple logins are a bad thing
>
> Does this sound right? Anyone else have a better idea?

Sorry, the email doesn't sound good to me. This would confront the
client with a 'flaw' in the system. I don't have a solution for your
problem, but this solution doesn't solve it, only moves is around. The
user might even not know there are multiple logins ...
Prevent multiple logins on 1 account by not letting more then 1 login.

How about setting a fla in the DB -> userid, session id, and timeasking
them if they want to stay logged in. If no-one answers the popup,
refresh the page at e.g. 15 minutes.
If they do reply reset the flag's timestamp.
If a timeout is after 15 minutes, and user is logged in, but closes the
browser without logging out, the account would be max. 15 minutes
unavailable for the same user. You *could* remind the user (on next
login e.g.) that leaving without logging out is a bad thing ...

Frizzle.

• Next in forum: Re: WYSIWYG Web Development Software for PHP ?
• Prev in forum: Re: REQ Been racking my brain trying to figure out how to prevent multiple login with same username
• Thread view: Re: REQ Been racking my brain trying to figure out how to prevent multiple login with same username

[Reply to this message]