Reply to Re: Need to find-out improper sign-out — PHP Programming Language

Posted by Rik on 03/04/07 01:22

Gordon Burditt <gordonb.327re@burditt.org> wrote:
>>>> Every time a user at proper sign-in, a flag is set & account is locked
>>>> until he sign-out by updating in the login-table.At sign-out the flag
>>>> is released & his account is ready to log-in again.
>>>> Is my logic right?
>>>
>>> Why on earth would you need such a thing, besides trying to drive off
>>> users?
>>
>> I'd even go so far as to say: the last one to log in clearly knows the
>> password, if another one is currently logged in under the same
>> credentials
>> I log them out instantly.
>
> I'll agree here: if you *must* insist on one login at a time, kill
> the *old* session (which may have just suffered modem disconnectus),
> not the *new* one. It also acts to discourage account sharing
> (situation: pay site for pr0n or whatever). If you share your
> account widely, *all* people trying to use it are likely to get
> booted off often. It's harder to implement, though. One thing
> that makes it a bit easier is to use a session save handler which
> puts session data in a database, thereby making a search for people
> logged in under the same account easier.

I don't go as far as to use a custom save handler most of the time.
Determining wether a user is logged in is done with the help of a database
query though, where session id's and user id's are saved of the current
'active' users, which also gives a nice oppertunity to check the time of
last activity etc.

>> People can get seperate logins a plenty, no
>> reason to share, and another little security measure to, well, not
>> prevent, but end a specific session hijack.
>
> Depending on the design of the site, there are plenty of reasons
> for the same user to try to pull up two different pages from the
> site at the same time (for example, to look at two things you might
> want and compare features side-by-side to decide which to buy), and
> many times it is necessary made to log in twice to do that.

Normally, no. As long as he's using the same browser, he will have the
same session id, and it will still be considered one user serverside, even
if the requests hit the server at exactly the same moment (which 'never'
happens). If you use different browsers (firefox & MSIE for instance),
then they'll get different id's, simply because they don't use each
hothers cookies. On any normal site, opening a wide variety of pages with
a single login is perfectly possible.
--
Rik Wasmus

[Back to original message]

Удаленная работа для программистов • Как заработать на Google AdSense • England, UK • статьи на английском • PHP MySQL CMS Apache Oscommerce • Online Business Knowledge Base • DVD MP3 AVI MP4 players codecs conversion help

Home • Search • Site Map • Set as Homepage • Add to Favourites

Сайт изготовлен в Студии Валентина Петручека —
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация