Session Help

RyanMinor

To my understanding, a session is created and then stored on the server with its assigned value and a unique id. So, if that is correct I should be able to somehow locate a particular session on the server based on it's assigned value. Well, I was hoping to use this concept to keep multiple people from logging in under the same account at the same time.

I figured that I could check this in my login script by declaring the customer's id as the session value when they login. Then, I could check for a session variable equal to the cusotmer's id when they try to login. My (untested) code is below. Am I going about this right, and how would I check to see if a user's session is currently set on the server?

<?php
// initiate session and redirect logged in users
session_start();
if(isset($_SESSION['customer_id'])) {
	header('location:my_videos.php');
}

// if login button was pressed
if(array_key_exists('login', $_POST)) {
	// initalize error array and check that user supplied a username and password
	$error = array();
	$username = trim($_POST['username']);
	$password = trim($_POST['password']);
	if(empty($username)) {
		$error['username'] = 'Please enter your username.';
	}		
	if(empty($password)) {
		$error['password'] = 'Please enter your password.';
	}
	// if username and password supplied then proceed
	if(!$error) {
		// connect to the database
		require_once('includes/connect.php');
		// filter data for query
		$username = mysql_real_escape_string($username);
		$password = md5(mysql_real_escape_string($password));
		$queryUser = mysql_query("SELECT customer_id, customer_username, customer_password FROM customer WHERE customer_username = '$username' AND customer_password = '$password'", $connect) or die(mysql_error());
		$dataUser = mysql_fetch_assoc($queryUser);
		$rowsUser = mysql_num_rows($queryUser);
		$customerId = $dataUser['customer_id'];
		// determine if the user is a valid customer
		if($rowsUser == 1) {
			// see how many IP addresses the customer has used to login with in the past 24 hours
			$queryIP = mysql_query("SELECT COUNT(DISTINCT log_ip) AS ip FROM log WHERE log_customer_id = $customerId AND log_timestamp IN((DATE_SUB(NOW(), INTERVAL 1 DAY)), NOW())") or die(mysql_error());
			$dataIP = mysql_fetch_assoc($queryIP);
			if($dataIP['ip'] > 3) {
				$error['ip'] = 'This customer account has reached the maximum number of IP addresses allowed. If you feel this is a system error please send us an email via the Contact Us form.';
				exit;
			} else {
				// see if the customer is already logged in
				$queryLogged = mysql_query("SELECT customer_id, customer_logged_in FROM customer WHERE customer_logged_in = 1 AND customer_id = '$customer_id'", $connect) or die(mysql_error());
				$dataLogged = mysql_fetch_assoc($queryLogged);
				$rowsLogged = mysql_num_rows($queryLogged);
				if($rowsLogged == 1) { // if database shows the customer is already logged in
					// if there is also a session variable set that matches their customer id on the server
					if($_SESSION['customer_id'] == $customerId) { // i need to somehow find this session value on the server first
						// this means the user is trying to login from two different locations
						header('location:bad_login.php');
						exit;
					// if no session variable for customer id is set on the server	
					} else {
						// this means user lost connection without logging out
						// set a customer id session variable
						$_SESSION['customer_id'] = $customerId;
						// log customer activity
						$ip = $_SERVER["REMOTE_ADDR"];
						$queryLog = mysql_query("INSERT INTO log (log_timestamp, log_ip, log_customer_id) VALUES (NOW(), '$ip', '$customerId')", $connect)or die(mysql_error());
						// send user to appropriate page (if a previous page session variable exists send them there)
						if(isset($_SESSION['previous_page'])) {
							header('location:video_info.php');
						// if not send them to the my_videos.php page
						} else {
							header('location:my_videos.php');
						}
					}
				} 
				// if database shows the customer is not logged in
				else {
					$_SESSION['customer_id'] = $customerId;
					$queryLogin = mysql_query("UPDATE customer SET customer_logged_in = 1 WHERE customer_id = '$customerId'", $connect) or die(mysql_error());
					$ip = $_SERVER["REMOTE_ADDR"];
					$queryLog = mysql_query("INSERT INTO log (log_timestamp, log_ip, log_member_id) VALUES (NOW(), '$ip', '$customerId')", $connect)or die(mysql_error());
					if(isset($_SESSION['previous_page'])) {
						header('location:video_info.php');
					} else {
						header('location:my_videos.php');
					}
				}
			}
		// if there was no match found in the database	
		} else {
			$error['login'] = "Incorrect username and/or password. If you do not have an account with us, please create one";
		}		
	}	
}		
?>

ixalmida

First, consider your garbage collection (session expiration) time. Unless you have it set very low, you may end up locking out legitimate users for extended periods. If you do have it set low, there's a potential to annoy users by logging them out quickly. Weigh your options carefully.

Second, I'm not sure why you want to mess around with sessions in the first place. It would be easier to save a cookie with a unique ID on the client computer each time they log in. Then check the cookie on all page hits. If there are two active IDs for the same user, log one of them out. Simple.

Derokorian

However cookies are stored client side and anything originating from the client cannot be trusted.

ixalmida

However cookies are stored client side and anything originating from the client cannot be trusted.

I wasn't suggesting any "trust". I was suggesting a means of checking for multiple logins. There are other steps I would take before trusting the client.