Posted by Gordon Burditt on 06/10/28 11:39

>Some suggest create table fields with the session ID and a time stamp.
>However my clients can spend
>alot of time on a page and I don't want to force them to re-login, would
>be annoying.
>
>On the other hand, some clients do not logout properly and sessions open
>active and/or a script that
>runs the timestamp does not clear that field. Then the next they login
>the stamp reads that they are
>active and will not allow them to login.

My suggestion is to keep a database of active sessions. (user name,
session id, timestamp). Well, actually, I'm not sure you really
need the timestamp. If a user logs in, delete all the previous
session records with his user ID and create a new record with his
session ID. When a user tries to access a page, check for the
session record by session ID. If it's not there, redirect him to
the login page. In other words, if the user tries to log in twice,
blow away the *OLD* session(s), so if someone tries to continue
using them, they have to log in again. If the user explicity logs
out, blow away all the session records with his user id.

If the user did not log out properly, this will do no damage, since
he won't use that session ID again. If there are two (or more)
users sharing a login and trying to use it simultaneously, they
will keep bumping each other off. You don't prohibit multiple users
but you make account sharing a real nuisance. It gets even worse
with a dozen users trying to share an account.

>I'm an experienced PHP programmer yet this task has got me going
in >circles. Everytime I think I >have a method worked out - there
is a reason why it won't.

You can also use the approach of detecting multiple logins (timestamp
needed here for telling the difference between an abandoned session
and multiple users) and if there are too many too quickly, send a
nasty email. Realize that this might false-trip occasionally so
you only send email if it happens several times in a few days. Oh,
yes, tracking IP addresses might be useful as evidence in case the
user denies sharing his account. Perhaps his password was stolen
(by a family member he shares the computer with?)

Gordon L. Burditt

• Next in forum: Re: PHP Passing Variables Between Pages and Security
• Prev in forum: Re: is using LDAP or SESSION more secure for authentication and access control?
• Thread view: Re: REQ Been racking my brain trying to figure out how to prevent multiple login with same username

[Reply to this message]