> -----Original Message----- > From: James Colannino [mailto:ja...@colannino.org] > Sent: Tuesday, June 22, 2010 2:29 PM > To: php-general@lists.php.net > Subject: [PHP] Question about logins and locking > > Hey everyone, > > I have a question about logins. Let's say that I want to allow each user > account to login only once at a time. I would then need some kind of locking > mechanism to make sure that the same user can't login again somewhere > else until first logging off. What's a good way to achieve this? I want to be > able to handle situations in which the user closes their browser without first > logging off, where I would want to count that as a logout. > > Perhaps I could do some kind of periodic polling in Javascript, combined with > a query to the database that sets a value when the user logs in and when the > user logs out? I'm just looking for some conceptual ideas. > Thanks everyone! > > James >
James, 1) Set an encrypted (to prevent hijacking and eavesdropping) cookie to expire when browser closes 2) Have a table in the DB backend to keep track if the user is logged in or not and when was the last time the validated user access your site (this gets updated when the user visit a link on your site by checking the cookie and the DB entry of the session ID) 3) Set your session timeout accordingly to you security requirement 4) Have a javascript on a timeout to self-logoff should the user is AFK longer than your session timeout. If another user or if the same user tries to login with a different browser, you can check the status of the user. If the user is logged in, you can deny it after the authentication. Should the user closes the browser without having to logoff, you can check when was the last time the user accessed your site and see if it's been longer than your session timeout. For security purposes, you can optionally send a courtesy email notifying that the user didn't logout properly since last accessed. This way, you can track whether if the user's system is compromised in some way or not. It all depends on what kind of application, service, user level access, and the strict security you require. Regards, Tommy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
