Forgive a mod_perl newbie for non mod_perl thinking, but this
is (a simplified overview) of how I would approach this:
request for any protected page
- if no existing session data [so not authenticated]
create new session
remember target page in session
redirect to login page
otherwise
allow access to page
login page POST with user id / password.
- if ( valid user / password )
add user info to session
expire previous session [id was saved in db]
save new session id in the database [for next login]
redirect to the originally requested page
otherwise
redirect to login page with error message
If someone now tries to come back with an old session id,
there is no data in the session, so they will be considered
un-authenticated, and will get redirected to login page.
In PHP, I would expire the old session during login, by deleting
the session storage, if it still existed. mod_perlers can probably
best suggest how to empty the contents of a session and / or
remove the session storage.
As the decisions are made based on information on the server,
this should also be safe from users pressing the BACK button,
as BACK to a protected page will redirect to login.
I'm not sure what happens with using History to select the page
that immediately followed login - probably the usual 'Do you
want me to post again?' question from Explorer etc.
I can see two issues with this approach:
1) login ping-pong. Two users using the same id/password will
be logging each other out as they log in (but this seems
to be what you want?)
2) it does not prevent the user from having the same pages
open multiple times within the same browser instance
(eg when the user presses Ctrl-N after having logged in)
just my 2 newbie pennies...
Regards
Jeff
-----Original Message-----
From: Perrin Harkins [mailto:[EMAIL PROTECTED]]
Sent: 15 April 2002 16:02
To: Fran Fabrizio
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Enforcing user logged in from only 1 browser?
Fran Fabrizio wrote:
> Unfortunately, there's some terminology muddling...AuthCookie calls it
a
> session when it establishes that a user is a valid user and sets a
> cookie on their browser. Apache::Session considers a session a series
> of page hits from the same user. It assumes you've already done
> whatever you need to do to assure that the user is valid.
I think you may find that neither of these does everything you need
without a bit of additional coding. The common way to do this sort of
thing is to use Apache::Session to track sessions (as in a series of
page hits from the same user), and if the user authenticates, you put
his user ID into the session data.
You would have to do the auth part yourself, as well as the actual
cookie handling, or else hack AuthCookie to cooperate with
Apache::Session.
- Perrin
