[PHP-DB] Session questions
Hi there everyone, I have a login system which uses sessions, and when people login it puts the date they logged in in their profile and moves their last login date over to another field, that works fine, but how can I check if someone has logged out via code? In other words, if someone does what they want and then just closes the browser without logging out no record is saved, how can I tell whether they have logged out / gone from the website ? I need to know this for security. Which brings me to my next question :-) How would I make it so only 1 person can login at any time with any given username/password combo? I know I have to track the sessions, but not sure how :-( Any help would really be appreciated. Chris -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Session questions
I have a login system which uses sessions, and when people login it puts the date they logged in in their profile and moves their last login date over to another field, that works fine, but how can I check if someone has logged out via code? In other words, if someone does what they want and then just closes the browser without logging out no record is saved, how can I tell whether they have logged out / gone from the website ? I need to know this for security. You can't know for sure. It's a limitation of HTTP. What you do is assume that if after X minutes, the user hasn't done anything, then they have left. If you're using sessions, the files will be cleaned up after X minutes, anyhow, and they will lose their login. Which brings me to my next question :-) How would I make it so only 1 person can login at any time with any given username/password combo? I know I have to track the sessions, but not sure how :-( Set a flag in the database that says whether that user is logged in. If that username tries to log in again, set an error. The problem you'll run into with this, though, is you'll have to implement a cleanup system to unset the flag after X minutes of inactivity. Also, if I accidentally close my window and then go back to log in, it won't let me because the flag is still set until your cleanup program unsets it. ---John Holmes... -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Session questions
Here's a couple of suggestions: 1) You can use javascript to trap the window's closure and create a new window that simply calls one of your scripts that closes the session. This is not 100% foolproof, however, so you need to come up with a backup plan, like closing sessions automatically with a batch process in the backend. 2) That's easy enough--just store a unique token in their session and in the database when they log in. If, when they come to you with a particular user id they do not have the right token, then that means that either (a) somebody is trying to steal a session or (b) two people have signed on with the same username, in which case you can decide who gets the boot. This, too, is not a completely foolproof method (particularly if you don't use SSL), but it's a good starting point. Hope this helps. Cheers, Marco -- php|architect - The magazine for PHP Professionals The first monthly worldwide magazine dedicated to PHP programmers Come visit us at http://www.phparch.com! On Wed, 2002-11-27 at 20:19, Chris Payne wrote: Hi there everyone, I have a login system which uses sessions, and when people login it puts the date they logged in in their profile and moves their last login date over to another field, that works fine, but how can I check if someone has logged out via code? In other words, if someone does what they want and then just closes the browser without logging out no record is saved, how can I tell whether they have logged out / gone from the website ? I need to know this for security. Which brings me to my next question :-) How would I make it so only 1 person can login at any time with any given username/password combo? I know I have to track the sessions, but not sure how :-( Any help would really be appreciated. Chris -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
