I just found out that stackoverflow has a link to logout every logged computers.
So..I thought about how to implement same functionality in PHP. I came up with using session_set_save_haldner to control write() method. In write() method, I can make a session file start with user's username. For example, a user john might have session files john_kdkajdkak, and john_29039dla. When John clicks "Logout Everywhere", I can write a code that finds filenames start with "john" then remove them to clear sessions.
are there any other better solutions? How did you implement it if you already made it work?
Use a database to persist session data.
Using session_set_save_handler you can roll your own database storage backend for user sessions - a sessions that has a user_id foreign key, related to the users table. A "logout everywhere" button would trigger simple DELETE FROM sessions WHERE user_id = 1234 and invalidate every session for the user.
You can also easily add in additional columns to the session table - to store the IP address of the session, for instance, so users can see where other sessions are logged in from.
Use a database for flexibility and performance.
If you have multiple sites on the same domain, like StackExchange does, then you can do this with PHP.
As Billy already pointed out, the better practice would be to use database storage for this.
In your situation I'd think about using a CAS or similar solution.
But it all boils down to how many different sites you will have with the same account.
Related
i have start to creating online store from scratch with PHP and everything is right but i need to know which way is better and safer for creating shopping cart(Basket)
1- work with session? ex: create session['cart'] and save products
2- work with database? ex: create a basket table and save products and after checkout delete everything from this basket
or maybe there is another way more better and simpler that i don't know
sorry for asking this question but i can't find good resource in internet,
thanks for yours Suggests
There are in fact three options:
Cookies
Sessions
Database
Cookies are unsafe. If you save personal data in cookies, malware can easily read that data. You don't want to get your user in that kind of position.
Sessions tend to get deleted when a browser closes - even when it's accidentally. Safety is reasonable. Sessions use cookies to identify an user. A third user can copy that cookie and pretend to be that user.
The database seems to be the best bet so far, but how do you link a database record to a user?
My best bet is to have a database record linked to several (temporarily) constants. If you save IP address and a hash, which saved in a cookie too, you can identify a user even after his browser closes.
The cart will endure until you delete it, the cookie expires or the user changes IP.
Well, where you store the items which a user is going to purchase is completely irrelevant.
I would recommend you stored them in cookies, so he user doesn't need a login to store his basket.
Unless you dont wan't hackers to spy on which product a user buys there is no need for encryption in this part.
But if you want to handle creditcards, you will need to create a https connection.
I want to implement a "remember me" feature on a website I am currently working on, so that when a user closes the browser and open it again, he will still be logged in with the same user.
What i currently have is a log in page that creates a session when the user logs in. What I want to do is to create a cookie that saves information about the user that allows me to identify him.
Now there are a few thing that I need your help about:
I don't want to save any sensitive information in the cookie, such as passwords or even a username. What i though to save is the session ID created when he first logged in, and save it in a table on MySQL database. Is that a good idea, or is there something better that i can save on the cookie?
After I implement the "remember me" feature, will I still need to use sessions? What I mean is, that the website have the option to use it without a user, so of course on every page of the website I will have to check if the user have a cookie stored. If he does I will automatically log him in, but should I do it using a session? isn't it a duplicate that I use both cookies and session for the same purpose, and of course do it for every single page of the website.
By the way I am developing the website using PHP.
It doesn't really matter. Only I would refrain from reusing this value as a session id again.
Yes, you will still need sessions, unless your site is extremely simple.
You can store the md5 of the cookie in the database...but just remember. If a user has multiple devices you get a cookie for each device.
If you don't clean your table once in a while it's going to contain lots of data!
I wrote a simple web app to let user input data as they walk around in a warehouse looking up products.
The database is a very simple one I created for the sole purpose of gathering some product data. They start the process by entering the location they are at the warehouse. There are multiple users, and I did not implement a login feature; the application is accessible by anyone on the local network.
I want to keep track of the location IDs that the users input, but I want to be able to distinguish data input by different users.
I need an identifier that will allow me to distinguish one user from another. It can even be different for the same user every time he connects to the DB or uses a different computer.
Is this possible?
You could save the session id I guess, but it's not very identifiable to a specific user.
It would however allow you to identify which actions were done in the same session.
Just remember to start your session first:
session_start();
echo session_id();
Maybe this way: http://php.net/session_id
And don't forget to init session: http://php.net/manual/en/function.session-start.php
I would make use of a unique session ID along with setting a unique User ID in the Session as well so both can be recorded. I do something similar with an application we use.
session_start()
$_SESSION['UserID'] == ? <---- Create you variable
You can read more here:
http://www.php.net/manual/en/book.session.php
Keeping track of sessions will also allow you to monitor active sessions, record active sessions in database, implement some basic timeout functionality if they are not active for a period of time, etc...
I am looking for insights into how to destroy a specific session in PHP. Through a partner website a user logs into the main website using a token and obtains a full session.
It is also possible for the partner website to call a destroy function if the user logouts from the partner website. We should then also log out our own user.
What is the best approach to this? The Zend_Session destroy method does not accept a parameter, similarly the PHP function session_destroy does neither.
I am considering two options:
Removing the session information directly from file/memcache but would prefer a "cleaner" approach than this.
Checking at every page request if this is a "token" user ; and if then check if their token was expired by maintaining a list. This adds overhead to a busy website, but might be my only option.
Or is there a third / better approach I am not seeing?
There's no need to roll-your-own session handling.
session_id() can take a parameter, the session id you want to work with.
So, when you pass the user off to the partner site, pass along their session_id (or some token, or whatever).
Then allow the partner site to hit a script like this:
kill-user-session.php
<?php
/**
* Destroy any active session identified by $_POST['sid']
*/
session_id($_POST['sid']);
session_start(); //this line may not even be necessary
session_destroy(); //destroys that session.
So when the user logs out on the partner site, the partner site POSTs the session_id (that you gave them) to your kill-user-session script, and the user's session is destroyed on your server.
Of course, you probably want to limit access to kill-user-session.php via some method or another.
If you wish to be able to 'kick' the sessions of a user(s), the only way you can do it is if you use MySQL (or someother db, sqlite even) for your session storage.
Then you can simply remove entries from the db to kill a session.
This also allows you do do things such as, 'take control' of a specific user's session and other stuff :)
See this for a very basic run through: http://www.devshed.com/c/a/MySQL/Custom-Session-Management-Using-PHP-and-MySQL/ (not the best example but good enough full example to start you).
EDIT
Also, if logging out through the partner site, another method I have used in the past (which was with O2 and other such sites) they were given a 'callback' (REST API call in most cases) which they would also need to call when the user logs out of their site.
The database solution means that the session database needs to be shared between mainwebsite and the partner site, which frequently isn't the case etc. Maybe something along these trivial lines would suffice?
<img src="mainwebsite/logout.php">
mainwebsite/logout.php:
<?php session_destroy(); ?>
I have a project where I would like to create two session cookies in one browser. The first session would be to uniquely identify a person, the second would be to share events within the session between users. I have been using a database for this, but would like the data to disappear when the session dies. There are no logins within the system.
Is there a way to do this, other than creating a cookie system to replicate functionality?
For example, we would have two session cookies:
name=someRandomUUID and session=valueSharedBetweenUsers.
I don't want to share the name session with multiple users, but the session session would be. Thoughts?
If you want to share information between users, using a session is not the best idea as it uses the file system. You would be better off using the database which handles all the issues of locking, concurrency etc.
Although what you ask for is technically possibly, I would strongly recommend against it.
EDIT
Assuming I have understood your requirement correctly, here is how I would do it:
Use session only to store session data related to that user. It could include something like:
$_SESSION['name'] = 'test name';
$_SESSION['groupid'] = 2;
A MySQL DB and table with fields groupid, XXXXX (data you want to store), timestamp
Whenever anyone updates information for a particular group id, you update the timestamp.
Then run a simple cronjob to check if any current time - timestamp > 3600 (one hour) and you can consider that as stale and delete those records.
I *think* you can only have one "current" session, but the functionality you are referring to is session_name:
http://www.php.net/manual/en/function.session-name.php
The cookie functionality is very simple. I suggest looking into that instead.
Where is the "valueSharedBetweenUsers" coming from? Is it a constant or database entry?
Either way, it wouldn't make sense to create one session per group. You should instead be giving each user a unique session per user; with your "shared" attribute as a session attribute for each individual.
So start the unique session then just do <? $_SESSION['session'] = 'mySharedValue'; ?>
Now everyone has a session with a unique sessionID and a common value 'session'.
(Obviously if you need to change this attribute later you'll have to do it separately for each authed individual)
This isnt as far fetched as people are making facebook and twitter have at least 10 different sessions being created when a user has logged in.