I'm currently using PHP sessions to keep track of user sessions, with a last-activity field for timeouts, an id field, and an account-type field. Currently, all of this information, as well as settings data, is pulled form a MySQL database and stored in the session once the user is logged in, and remains unchanged for the duration of the session.
The issue is that I wish to implement the ability for administrators to change users' account types remotely. If the user's account type is changed remotely while they're still logged in, the change in the database won't be reflected in the user's session variable.
One solution to this would be to add a logout_flag column to the users database table. When a user's account type is changed by an administrator, that user's entry in the database will have logout_flag set to 1. Then I can use a session script to check this entry on every page load, and log them out if it's set to 1.
My concern is that this would add too much overhead for the server; With hundreds of users logged in at the same time, this would amount to hundreds of MySQL queries per minute. Is this the ideal solution though?
Try with session_save_path(), with that function you can find the path where PHP saves all session files. You can delete the selected file with unlink() later.
Careful with this! If the path = the global /tmp directory. Other applications are using this directory also and you can break something.
You need to know also the session id of your user, maybe saving the token and the user id/name will help you to identify the correct session file.
Related
When starting a session, an authentication is made to the database through a query. If this authentication is granted, one or more session variables are filled with data. This allows the user to transfer through multiple pages without having to re-authenticate - which is great. However, if a session variable that is being used is changed within the database, i.e. username change, access privileges change, the changes are not rippled through to the session (obviously).
How is it possible to get the database changes to trigger, or ripple to, the PHP session variables.
An example is being logged into a website where you have access privileges x that allows you to access pages 1,2,3. Your privileges are now taken away for some reason and you now have access privileges y which allows you to only access page 1. If the user is already authenticated within the site, these changes will not affect the users current session, and will still be able to access pages 2 and 3. This could be an issue in many situations.
Currently my solution to the problem is to re-authenticate the user every page, and update the session variables accordingly. This definitively seems the wrong way to accomplish this task from my limited understanding of how sessions (should) work.
Essentially, I would like a way for database updates to trigger a re-authenticate of the current logged in user. i.e. if user john12 has his database row altered, then his session should require re-authentication.
At the moment I can't think of any way to accomplish this without querying the database every time a page is loaded.
Any tips or solutions would be greatly appreciated.
How I usually do it is by having 4 fields for authentication is my database.
Username
Password (usually hashed)
Token
Logged IP
I remember the user's auth data in cookies. When user has entered the right username and password the website generates a new token and sets two cookies - username and token. On every page load you check if the username, token and logged IP match (to prevent token steal).If one of them isn't right remove all of them and redirect to login page.
In your case if you want to relogin on password change just delete the token when it has been changed.
The only con here is that only one machine can be logged at a given time.
I don't see why you don't want to query the database for user permissions, SQL databases are incredibly fast even with lots of records especially if searching by primary key.
I have built multiple sites already using PHP that allow users to log in and keeps their user id and username in session variables. I keep learning more about security and I want to check up on what the safest way is to store user information.
I am currently working on a user account page which allows users to view and edit their profile information. Currently the site does a simple MySQL query that pulls the users information from the database based on what the id stored in the session is.
Example:
$getUserInfoSQL = $connection->prepare("SELECT * FROM Accounts WHERE id = ?");
$getUserInfoSQL->bind_param("s",$userid);
$getUserInfoSQL->execute();
I just want to make sure its not reckless to provide user information just based on the session variable userid.
You can easily use a session to store userdata, as the session contents are stored on YOUR server. However, storing userdata in a session can cause some problems:
If you e.g. ban a user, the session would still be active, and the user could browse your site, even though it is not in the database
If a user is logged in on two machines (e.g. a computer and smartphone), and changes userdata on one device, you'd have to update the session on the device they're changing the userdata from, but then the other session contains outdated info.
Server restarts can wipe session data
Using session variables should be safe enough. The session data in kept on the server and the only thing stored locally on the user's end is the session ID.
PHP stores the session data in a file on the server, but you can store it in the database as well. It's a bit faster and should be safer as well. — Check out the answer by RobertPitt at https://stackoverflow.com/a/2950504/859999 to find out how to store session data in the database.
Currently when the user logs in my site, a (PHP) session is started and his database row is saved in his $_session. I do so because the size of user's data is small for now, and this way I do not have to ask the database for user's data every time I need it.
The problem is that, when I want to add or change something during the development and I touch the database, the session is not updated this way. The user have to logout and login again to update the session. This is good for now since the site is in development phase, but in production this is not desirable.
I wouldn't delete session files, because people are lazy and I would avoid to force them to re-login every time something change in database, and I do not want to reload the session every X minutes. My solution for now is a boolean column inside the user's table, false by default, that I set true when I change the database. Every time a session is continued, session data will be updated if that value becomes true. Anyway this way I have to do a (small) query every time an user continues a session. I do not know if this will be a problem in production.
Is there an alternative / better way to solve my problem?
If I understand the problem correctly, one way to handle this would be every time a user row in the DB is updated that user's session data could be updated as well in PHP.
If it is not the user updating the records (such as an administrator changing a user's permissions) most likely you would want to force a logout of the user. If it is the user updating the records (such as changing information in their user profile) simply updating those values in the session variables may be enough.
In both of these cases you probably also want to provide a message to the user letting them know what happened.
I want to make a login system using PHP and MySQL and do it in such a way that every-time only one person is logged into my system at any point of time. If the same user logs in on another window/session/place the old running instance should be invalidated and the new one should be validated.
I am aware that I can get this done by storing the session-id in the database and some routine that checks it and keeps on verifying it constantly periodically or on any database action.
Is there any other way I can accomplish this so that the checks for verification are minimized and I don't have to fire a query on each page refresh to check if the user is in the last logged valid login session.
In short I can summarize that i need a technique so that only my last valid login browser window is served the webapp.
You don't need to have any polling method, in fact you all you need to do is store the session id of any logged in user along with their username in a database.
Then, on each login, simply check if the user logging in already has a stored session. If they do, invalidate that one and store the newly logged in session in a database.
When an old session tries to reconnect to the app, the data for their session will no longer be stored on your server, so they won't be logged in any longer.
All this requires is making an extra check anytime somebody logs in, not any polling method or the like.
Every time the user loads a site of your homepage you have to check whether the user is logged in or not. This is always one sql query. So store the session-key along with the user-data and than you can simply add the session-key to the WHERE-clause to identify the user. In this way you have only your one sql query which you have anyway to verfiy that the user is logged in.
Firstly, I'd build this with a database to manage your session policy. If it turns out to be bottleneck, you can optimise then.
If the application runs on a single server, you could perhaps use shared memory (e.g. using APC's apc_store & apc_fetch) to store some state information which can be shared among processes. This could simply store the last-known session id, keyed on the user id. Then you can quickly discover if the current session is still valid.
If you're running on multiple servers, then memcache might be worth a look for achieving something similar.
I've made a log in script for my site, the session stuff basically look like this.
if($_SESSION['loggedin']=="Yes"){
//user online stuff
}
For all other users the session is set
$_SESSION['loggedin']=="No";
How can i display active session that are set to yes or no? should i work anything with mysql tables and use crontabs? or should i count files in tmp(session directory) on apache?
What are the best methods and how can I do it?
Crontab is not necessary here. You can store last activity date and time somewhere (mysql database?), and use simple select, which would show amount of users, who were active within some timeout.
This table can be used for server-side tracking of logged in users. Table may also contain some additional information, like IP address, X-Forwarded-For IP etc.
You can store the users in a database, along with their login information, and check that every time you want to authenticate a user. This is far safer than using just session variables to authenticate.
You can count the number of users that are logged in by setting a bit for the user's record when they log in and turning the bit off when they log out / session expires, and counting the number of these bits that are on to see how many people are logged in.
If you need to display the actual users currently logged in, you're better off using a column in your users mysql table to track the current login state, and doing a periodical request via a cronjob, and store that info in a .txt file so that you can do the query just once for all logged in users and share the result by including it in your rendered html.
The other method (reading inside the session folder storage) is possible but more complex and probably less effective, although i haven't done any benchmarks. It just feels very hacky.