Tracking duplicate sessions

pnoeric

Hey, I have an app with a login/logout function and I want to be sure that if someone is already logged in then the same user logs in again, the first session is logged out. (the idea is: only one session at a time with each username.)

To do this I think I need to watch the session ID and keep it in the db with the usrename, so if a user logs in and they already have a SID assocated with their name, kill that SID (the original session) and start recording the new SID. right?

3 questions:

is this the best way to do it?
the PHP-generated session ID is reliable and unchanging from page to page, right? (I require cookies and use sessions now in the app to keep them logged in from page to page.)
is there some way I can do this without using the db? I guess not since one session can't talk to another session without going through an intermediary (like a database), right? (does that make sense?)

just trying to wrap my head around this, appreciate any thoughts.

best
Eric

Anon

You can't have one session kill off another; on the other hand, if you check the SID stored in the database against the SID being supplied by the browser with each request, you can see if the request is coming from the "old" session (it won't match), and then kill it (logging the user out of that session in the process). That way the user can only have one concurrent login:
1) User logs in (gets SID #15). Db records SID as '15'.
2) User does stuff with SID 15.
3) User logs in again elsewhere (gets SID #27). Db records SID as '27'.
4) User does stuff with SID 27.
5) User tries to do stuff with SID 15. But because the current SID (15) and the Db's recorded SID (27) don't match, the user's request is refused and instead session 15 is killed, the user is treated as if not logged in (note that I'm not saying they're logged out). The user will have to go back to the session with SID 27 to continue working. (They're still logged in, only over there now instead of back here.)
Right - it wouldn't be much use otherwise 🙂
Right again; for obvious reasons sessions are kept independent of one another. 'Course you could poke around in the stores session data, but that would be a tedious way of using the filesystem to emulate a database. Besides, chances are you're already using a database to store user data anyway :-)

pnoeric

Grumbler, brilliant, thanks for the reply and the little meta-code example, that helps me a lot. I'll write it tonight....

Ok, now back to helping the newbies. ;-)

best
Eric