Apologies if this question is already posted. I didn't find the answer i was looking for when searching through the related questions.
I have a login system I've just created that works with Facebook. Once the user logs in with their Facebook info and then I create profile in my database for them. I start a session upon successful login and store the user's id in that session. This setup so far has worked fine, but I've recently noticed if I try to login to the site on another browser (1xChrome, 1xIE, so on...) at the same time it wont let me. How can I fix this problem? I would like the user to be able to not only log into multiple browsers on the same computer at the same time, but if they stay logged in at home be able to still log in from another computer.
Any help is greatly appreciated!
Thanks!
EDIT: Yes I'm interested in allowing user's to log into multiple browsers as in 1xChrome, 1xIE, 1xSafari, etc. I should've been more clear. sorry.
You may want to do some more research into cookies.
Your users should not be able to use multiple instances of the same browser (for example, 4 Internet Explorer windows) to log in.
Your users SHOULD be able to use different browsers (ie 1 x IE, 1 x Firefox, 1 x Chrome or any of the above browsers + 1 with Private Browsing/Incognito/etc enabled).
The reason for this is because the cookie storage is different. You could technically use different Firefox profiles, too, I think...
... but to get back to your question - you might want to learn more about Cookies and their function in sessions.
The session should not be terminated, unless you do a check and terminate it yourself. An issue could be the actual facebook login. If facebook does not allow multiple logins(i think it does not), your first browser session will be getting an expired session( if you check on the facebook login status ), and this could cause your script to refresh the state of the first client (again, if you handle it like that).
Related
I am working on a website admin cp with PHP as a back end technology and in the same time I am fixing some responsive issues.
So I am logged in to the admin panel But when i toggle different devices such as Galaxy, Nexus Iphone or even responsive mode to test the responsive look or fixes that i have done i find myself logged out and redirected to login page and also i see things that shouldn't appear before login such as admin menu but it is not accessible in other words it's half logged in and half not.
cashing is not disabled.
session id is the same i can see it.
I really can't get my head around it!
Is that something normal in the browser which means every device is independent from the whole browser?
Or i'm doing something wrong?
Finally and after several hours of reviewing my code and debugging every single thing I came up with a solution to my problem :
my hypothesis in the question that the devices are independent
from each other is quite correct because every device has a different
HTTP_USER_AGENT
You can try it like this :
echo $_SERVER['HTTP_USER_AGENT'];
Toggle different devices on the browser and see the result .
So as for sessions best practice based on stack overflow and many other resources it is a good practice to save $_SERVER['HTTP_USER_AGENT'] in a session and later on check the session after login which means the logged in user is exactly the user coming from that browser
And that's what i was doing i was checking for the user login session and the user agent session
And that's what was causing the problem so when i toggle different devices the HTTP_USER_AGENT gets changed so the session doesn't match and therefore i get logged out automatically.
I am sure someone has run across this issue before, I just haven't been able to find anything on it anywhere. Anyway here is the scenario.
I have a PHP website that a user will login, then their account id is set as a session variable, then once they are in it basically acts as a single page app. The session account id is for tracking their activities as they do different things throughout the app.
The site will be accessed primarily on mobile devices. I have PHP that sets the session timeout length, then using JS, gives them a popup warning a couple minutes before the timeout ends. Then after the end of the timeout, using a meta refresh, it redirects them back to the login page.
On a desktop, this all works like it is supposed to. On mobile, it is behaving differently. On a mobile device, a user may login, do some stuff on a page, then without logging out, put their phone in their pocket and not come back to it for a couple hours. When they open up the browser it keeps them on the page they were on, but the JS was obviously not running during the time their phone was sleeping, or whatever else they were doing in the interim. The meta refresh as well also does not work as expected, but the session is still timed out. So when they open the app back up, and try to do stuff, I am getting errors in the DB saying that id cannot be empty.
I can use ajax to check if their session still exists on every click of a button, but for speed of the app I would prefer not to do that.
Has anyone else ran into this and found a solution for automatically logging out people on single page apps viewed on a mobile device?
Using Symfony 2.0 and FOSUserBundle, I need to know how to restrict the access to make it unique.
This is what I mean:
User X accesses to my system creating a session through login/password
With that session still valid (not having closed the session, etc...), the same user X tries to access from a different computer or location.
In that case, I need the system to avoid its second access with some kind of message: "that user has a valid session from another computer".
Is that possible?
It would be possible and trustable only if you could find a secure way to know when the user session has destroyed or he has logged out from the other computer. As it can occurs without explicit action from the user (i.e. he closed the browser and the session timed out), I wouldn't rely on it. Of course you could always try to find some workaround (i.e. predicate session expiration time and track user logging out) but it still would not be 100% secure. Thinks about cases where new accesses will be denied because a session is still open on another browser without people in front of it.
On the other hand, you can do it the other way (when new user logs in, the other logs out) using Voters and some hints found in Allow one session only at a time.
Correct me if I am wrong, but I think there is finally no way to do what I am trying to since Chrome (and I think FF too) save the exact cookie and are able to restore the session skiping all LoginHandler methods.
Let me explain myself.
Right, I was about (and actually I did) to implement the solution described in your answers and comments:
User X enters the web site with his login/password using Safari (for example)
The login datetime is stored both in table User in the database and in session
Without logging out, the same User X opens a different browser (Chrome, for example)
The new login datetime is updated in database and in Firefox session
The user gets back to Safari and tries to refresh the page
He gets an exception as the datetime doesn't coincide with the one stored in session
Well... great so far, as it seems to solve the problem.
And here comes the big deal: as described here and here, Chrome is not deleting properly the session cookies. So when user doesn't logs out and just close the browser, anytime he or she comes back to Chrome, the session is automatically restored without passing through a login handler, login method or anything around.
This causes that "magical" datetime key not to be saved both in database and session and, as a result, put a stick in the wheel of letting just one session as a time, what was the original plan.
Any more light on the issue??
I want to cry :(
hello i want to make system website like yahoo messenger using PHP.
here the catch: when i (as user X) logged in computer A then i logged in computer B.
The User X in computer A must be forced to log out.
But i don't want use session time. because user can log in every time.
Must i record to database mysql?
Thanks in advance for any help, and I'm really sorry if this has been asked before.
Indeed, you will need to store your sessions in the database.
For each request, check if the database session hasn't expired. If it has, log the user out.
Now, if a user already has an active session in the database (from another computer), invalidate/expire it. The next request on the other computer will log the user out. The sessions shouldn't collide because the new session will have a different session ID.
As said in the above post, you need to store the session in a database, you might also considering storing the user's IP address so you can be sure that the user is accessing your web app from a different machine. A different session id doesn't mean that the user is definetly accessing from a different computer, because a user might have two (or more) browsers open on the same computer.
Please also note that for capacity and performance issues IP address shouldnt be stored as x.x.x.x please read the following doc
http://www.retran.com/beej/inet_ntoaman.html
http://dev.mysql.com/doc/refman/5.0/en/miscellaneous-functions.html#function_inet-aton
You can than clear the other sessions either by running a script when the user login (Every user will clear his own logins, on other machines), or by implementing a link ( so the user performs this task at his own demand, like in google accounts) or by running a cronjob over your script.
Hope this helps, have a nice day!
In my website, some of users complain about problems in logging in.
Their browsers generally don't see session info and cannot understand that the user is logged in, and behave like never logged in. But after some refresh, browser see session info and show the user as logged in normally. Again, if the user try to do some action( like writing a message) browser again loose the session info and redirect to the login page. The situation continues like that.
Browser security options, cookie options of the user's computer are all the same as mine.
I never face such a problem but they do.
How can i solve the problem, actually how can i see,understand the problem?
Thanks.
Since you seem to be unable to reproduce the problem, and getting to their machine may not be an option, you could potentially have them run something like Fiddler (ie), Firebug (firefox), etc, then send you the logs.
As gavtaylor suggested, I'd be suspicious of a load balancer, proxy, or otherwise.
The usual recipe is:
try to reproduce the problem
if this fails add more logging
if still not clear, then debug the code
Assuming the first one has failed, then you might want to start logging the value of the session cookie
Superficially, this sounds like a caching issue.
is your server load balanced?
I had this problem recently were users of one of our old sites were temporarily "losing" their logged in state.
We found that the loadbalancer wasn't implementing sticky sessions properly so people were jumping between servers and because the site was using server sessions, instead of database sessions, people were effectively logged out on one server but logged in on the other...