Session still in use?

Anon

hello! well I'm currently working on an authentifiation system with session. The system is based on Mysql where I've got the Tables users und session. In the session table I save the userid and the sessionid to know when which users logged on. I also hab a boolean in the talbe, to mark a session as 'closed'

now the problem is: how do I prevent a user of logging in twice?

Case 1:
User just closes the browser (does not logoff) - the server does not know that the user doesn't use the session any more. The Record in the table session is not marked as closed. now my scripts says: "hey, you are still logged in - please log out before logging in againt." But the user can't log out, cause he closed the browers ... -> probelm.

Case 2:
user logs of corretly - session is marked as closed -> next login is no problem.

Any idea to solve this problem?

Anon

The way I solved this problem:
- when user A logs in, note the time
- when user A views any page, update the time again (I do this for extensive session activity tracking anyway)
- now only allow logins on this login/password, if there has been no activity within the last 5 mins. This way, in "Case 1", user should get a message like: "Please try again in 5 mins."

So I don't work with the concept of being logged in or not, but simply at what time was the last activity of this user. Works for me.

Hope that helps,
Jens

[deleted]

using a timeout is nice, but to prevent a user from logging in twice, why not simply check if the user is logged in already? If he is already logged in just logout the old session and continue with the new one.

Or am I missing something here...

Anon

The reason why I don't do that, is because usernames are unique and are supposed to stay that way - ie. problems occur if someone gives his username and password to a friend, and they both try to log in. This is very probable in with my site, as users pay for access.

So in your suggested case, user A is happily logged in, then user B (who was given the same user name and password by his friend, user A), logs in, which could:
- either kick off user A
- or allow both to be logged in

If that's what you want, that's no problem. However, for me I cannot allow two people to be logged in at the same time, if only one paid for the access. And kicking off user A is just too messy 🙂 He will never know what hit him, and think there is a problem with the system.

-jens

[deleted]

"However, for me I cannot allow two people to be logged in at the same time, if only one paid for the access. And kicking off user A is just too messy 🙂 "

Simple solution: when the second user logs on, offer him the choice between terminating the 'old' session before loggin in, and not loggin in.

That way poeple who share the access data don't kick eachother off, and people who's browser crashed (and they often do) can get in without having to wait a rediculously long time.

jkarr

seems to me if usera A gives out his log in information to a pay site then it's his problem if he gets kicked off by user B logging in.