Unique sessions?

lobobr

Greetings.

I'm developing a website based on a linux machine with apache 1.3.26 and PHP 4.2.0.

The whole site is based on sessions - wich is a great feature of PHP 4+ - and I'd like to restrict access to the site so each user can login only once at the same time - e.g. only one session per user is allowed.

Is there a way to do this? I've browsed the PHP documentation for sessins and didn't found anything useful about it, and I'd like to prevent some complicated hand-maded function to do this...

Any ideas, thoughts and ocasionally a straight answer would be greatly appreciated 🆒

Thanks in advance,

fukas

Hmm, I don't know if I understand you well, but I thing if you save user name to the session and each time you do the test if the user has session, it will be enough.

PHPdev

You can flag each time a user loggs in, but I think the issue you are going to run into is knowing when or if a user has closed their browser. There is a PHP Session ID, that may be of some help. Let me know if you come up with a good solution.

I had an application where I needed to allow the user to only login once, and only from one computer, thus I used cookies, ip addresses, and username data. But I still had the issue of, knowing when the user closed their browser.

PHPDev

fukas

I thing you don't need to know if user close the browser. Usualy you set up in your session some variable with user loggin time and than you test if your reserved time constant (usualy 10min) are elapsed. During this 10min is the session excepionable. I thing it's ok.

bobthedog

Hmm - just completed a job to do this.

The answer is not in stopping someone else log on if they try to log on with the same details as someone else who is logged in at the moment, but logging off the person who is currently logged in and letting the new person log in.

This is achieved using the following methodology.

1- When someone logs in, check their login details as usual in your database and if they authorise then have an additional field with their username and password which will hold their current session id. As they log in - update this session field for their username with the session id. Also do your usual setting of a session value holding their user id reference from the database

2 - When a user tries to access a page, use their user id in the session to check the session id held in the database. If this matches their current session then they are logged in ok.

3 - If the session id doesnt match, then log the person out, since they must have been logged out by a newer user logging in.

Hopefully the method described above will suit your needs 🙂

klansman

hi!

i know your problem. i am still looking (but not much) for an answer...

i don't think your solution is very good... imagine a forum like this one... imagine you are typing a message (a post-reply, for example) and then by accident or not, you try to login again from another machine... there goes your 500-line post-reply...

Of course that, if the described solution fits you, go ahead! no problem here!

I think that the way it should work would be to lock a session once a user logs in. Then if the same tries to login again, he/she should get an error message. Then there is a major problem... What if the first session cannot be closed (due, for example, to a browser crash), then the second user could never login again, because nobody/nothing unlocked the first session...

Possible solutions include timeouts, the solution you described (the valid session is allways the most recent)... and other, which i don't know...

What do you (all) think about this? am i being irrational? am i being too demanding? is this unnecessary?

cheers!

[]

PHPdev

klansman,

I must say that I agree with you, I think that we all must consider all sircumstances before proposing a solution, unless the origional poster states otherwise.

We all come back to the same issue, we never know if the browser has been closed, whether by the user or some other issue. If we could see all the sessions a server has open for a site then we would be albe to compare open sessions with logged in users. The only BAD solution I have come up with is to use JS, but with all the popup blockers out there, it is not a 100% solution. My previous post is a workaroud that met my needs, but does not sufficiently solve the problem.

PHPdev

bobthedog

i don't think your solution is very good... imagine a forum like this one... imagine you are typing a message (a post-reply, for example) and then by accident or not, you try to login again from another machine... there goes your 500-line post-reply...

Ok - I am trying to imagine this - you are writing a massive reply getting deeply involved in the subject matter - and then for some bizarre reason before you finish it and press sumit, you get up - go to another machine, and then you try and log in somewhere else... and are suprised that your original session expires... not very likely me thinks, unless you really are a bit dim.

Hmmm - tbh - I think your reasoning is deeply flawed, but I see what you are saying - and this may (in a freaky world) happen. Also, this forum system actually uses a cookie based system to store your login details (well - mine does at the moment) and I know I can open up several browsers on this machine and be connected to this forum using several different sessions all at the same time (since each new instance of the IE application - not just a "new window" - is regarded as a seperate process and hence gets assigned a seperate session).

If we take a solution used by another system - Yahoo Mail - you can see how they tackle the same problem. When I used to use their system, it may be that you spend 20 minutes writing an email (or whatever their session timeout was set to), and additionally, if you logged in on another machine then you were logged out from your current Yahoo Mail session and had to re-authenticate yourself.

I am glad to say that finally they have found a solution that seems to work. It appears that now, if you spend 20 mins writing your email, or you get logged onto another machine while writing said email, then you will not automagically be logged out when you try to send it. Instead, the system will let you send the email (probably by checking that your session variable has been set to determine that you ARE logged in - but not worrying about your session id matching that the latest stored version is the same as yours), and then when you try to navigate to a different page after that, you will be asked to re-authenticate yourself.

This - as far as I can see - is probably the best system in that you are not waiting 10 (or more) minutes for a session to expire on your system (bearing in mind that the default setting for session timeout in PHP is 0).

Anyhow - hope this helps you in some way.

klansman

it's a bit "far-fetch" isn't it?? (my idea...)

[]