Login Session Authentication

asukla

Dear All!
I have a one query related to PHP-MySql WAMP architecture.
I want to some suggestion upon this problem;
1) I am creating a login based security web site.
2) My need is one user can logon only once. (Not like rediffmail, yahoo or others One user can log on multiple instance using different systems at a time).
3) But I doesn't want to use Cookie due to security issue.
4) I am creating sessions using with superglobal arrays $SESSION (username, Useragent, First 6 char. of the users IP) and sets the database field IsLogInStaus 1 if user logged In.
5)When User logged out I also reset the database value to IsLogInStatus 0. By this way my implementation is working well.

5) But My problem occurs when Browser accidently crashes or user closed without logout. In that case users IsLogInStaus field doesnot set to 0 in the database.
How a way I solve this problem?

laserlight

3) But I doesn't want to use Cookie due to security issue.

Using a cookie to store the session id is more secure than using the query string. As such, it is recommended to enable session.use_only_cookies in php.ini.

4) I am creating sessions using with superglobal arrays $SESSION (username, Useragent, First 6 char. of the users IP) and sets the database field IsLogInStaus 1 if user logged In.
5)When User logged out I also reset the database value to IsLogInStatus 0. By this way my implementation is working well.

5) But My problem occurs when Browser accidently crashes or user closed without logout. In that case users IsLogInStaus field doesnot set to 0 in the database.
How a way I solve this problem?

Do not have such a IsLogInStaus column in the first place. To estimate if a user is logged in, record the time of the user's last page load in the database.

To prevent the user from having multiple concurrent logins (your point #2), record the session id in the database and use that as part of the authentication process. Since a new session id is issued on each login, a login to the account from another client will logout the currently logged in user.

You could go a step further and prevent the user from using the session concurrently by regenerating session ids on each page load, with session ids recorded in the database.

asukla

Using a cookie to store the session id is more secure than using the query string. As such, it is recommended to enable session.use_only_cookies in php.ini.

Please clarify me; How a way it is much secure & good way.
The negative aspect to cookies is that, while most users have cookies enabled, some choose to disable that feature. And In this regard what we can give solution.

Do not have such a IsLogInStaus column in the first place. To estimate if a user is logged in, record the time of the user's last page load in the database.

I have a need of only 20 maximum users at a time according to my need. So I have used IsLogInStaus field.

To prevent the user from having multiple concurrent logins (your point #2), record the session id in the database and use that as part of the authentication process. Since a new session id is issued on each login, a login to the account from another client will logout the currently logged in user.

The problem is not how to record users login Status. My problem is how to destroy this field when browser crashes/closed. Please suggest!

laserlight

How a way it is much secure & good way.

A user may pass the link to your website to someone else. If the session id is stored in the query string, it may also be passed on by a naive or careless user. This cannot happen with cookies.

The negative aspect to cookies is that, while most users have cookies enabled, some choose to disable that feature. And In this regard what we can give solution.

Require that your users have cookies enabled, at least for your website, and inform them that the cookie will only be used for user authentication. The alternative is to risk naive or careless users handing out their session ids.

My problem is how to destroy this field when browser crashes/closed.

You cannot determine the precise moment when the user closes the browser, walks away from the computer, or has his/her computer destroyed by a thermonuclear bomb. You can only determine the moment when the user uses your script's log out functionality.

This is why I suggest that you record the time of the last page load: you can arbitrarily decide that if the user has not loaded the page in the past x minutes, the user has probably closed the browser, walked away from the computer, etc.

tbobker

I had this very idea of only logging on once....my idea was to update a field in DB to 1 when logged on and 0 when logging out.

If trying to login again check for 1 or 0. If 1 already then no action if 0 then logon?

What do you think of this oh and also record IP on every logon so if from different ip will not work either.

asukla

tbobker wrote:
I had this very idea of only logging on once....my idea was to update a field in DB to 1 when logged on and 0 when logging out.

If trying to login again check for 1 or 0. If 1 already then no action if 0 then logon?

What do you think of this oh and also record IP on every logon so if from different ip will not work either.

Dear Sir!
I have doing previously. It works well except;
You have not defiend here, how a way you set the field value 0 when browser accidently close without logout or user close the browser without logout.

laserlight

You have not defiend here, how a way you set the field value 0 when browser accidently close without logout or user close the browser without logout.

That's because it is not possible, as I pointed out in my previous post. tbobker was just suggesting your idea, but your idea is not workable in practice since you cannot accurately determine when a user has logged out. Okay, it is workable in practice, but then you would be logging out the user after some arbitrary period of inactivity, which is a reasonable practice. As mentioned, this means recording the user's last known activity, not recording 0 for logged out and 1 for logged in.

tbobker

Isnt a $_SESSION killed when you close the browser / cant you set this?

laserlight

Isnt a $_SESSION killed when you close the browser / cant you set this?

If session.cookie_lifetime is 0, then the session cookie expires when the browser is closed. However, this client side event is not relayed to the server. If the user goes offline before closing the browser, it certainly cannot be relayed to the server. After all, it is not possible to inform the server that the client is now offline because... the client is now offline.