I would create a login authentication using php, The requirement is : one username account can't login at the same time, if this occur the first login user should logout automatically. Just like yahoo messenger do. How is the concept actually ?, What the best trick to do this with PHP ?
Thank you.
You need to store the session ID of the last login in your database. When a user logs in the next time, you invalidate the old session and store the newly created session ID in the database. For example:
$old_sess_id = /* read saved session ID from database */;
session_id($old_sess_id);
session_start();
session_regenerate_id(true); // "true" deletes old session
$new_sess_id = session_id();
/* store new session ID in database */
casablanca is right...
additionally you dont need to save both old and new session. just have one session in your db.
when the user logs in update your session value. after code for check session. The previous login will be automatically invalidated.
Related
Currently, I try to implement that only one user can be online simultaneously on the same account. There are solutions which prefer to store the session id and compare it to the current session id. But I have problems to understand how it should work.
So I store the session id after the user's login was successful. Now I am trying on another client to log in on the same account. It is not possible because the current session id is not equal to the stored id. So what happens if ...
1) Using logout button
The user uses the logout button. The session is destroyed. I reset the stored session id to "" or something. If the stored session id is "" a client can log in on this account. Is it right?
2) The browser is closed
Closing the browser without using the logout function. There is still a session id stored. I can not log in with this account because my current session id is not equal to the stored session id. So how can I realize a re-login?
i believe you can solve that problem simply by storing a variable in a user field database to indicate it's been logged in.
I develop a registration system using codeigniter. I don't want the user to have multiple session active. ie user login with a username and password on chrome browser and now goes to firefox and login with the same username and password.
//I added a column calld userid
ci_sessions // codeigniter session database
//check whether a session exist and delete
$this->db->delete('ci_sessions',array('userid' => $this->input->post('reg_nos')));
//create a session data
$this->session->set_userdata(array('reg_nos'=>$this->input->post('reg_nos')));
//get the current session and update it with the userid value.
$session_id = $this->session->userdata('session_id');
$this->db->where('session_id', $session_id);
$this->db->update('ci_sessions', array('userid' => $this->input->post(reg_nos')))
Is there a better to implement this? I can't even get it to work.
I am not sure how you are handling logins, but if you are using cookies, store the cookie expiration date in the database and when a logs in you can check whether they have an active cookie or not. Expire the cookie on logout and also mark the cookie as inactive on the database. This will give you one session login control
I would like to make my website to allow only one session at a time. For example, let say user has login to my website on firefox, if the user login again to another browser like opera on the same computer or different computer, the session on firefox will be destroyed. However, the session on firefox remained if it remains as one session. May I know how can I do that? I am using php and apache. Thank you.
Regards.
Benjamin
I'll suggest you to do something like this:
Suppose when user "A" loges in to the "Com_1", for the first time. Save a unique code in the database against that session, and same with the user session.
At the mean time if he (user "A") loges in again on "com_2", then check his status in the database and update the unique code in the database.
again back if same user (user "A") refreshes the page on "com_1", we all you need to do is check the unique code from the session and match it to the database, It is for sure it will not match, then log it out and destroy the session.
For keeping the user loggedin, even if browser is closed, you can store the cookie on the browser, and re-generate the session accoordingly.
Hope this helps. Thank you.
You can use the following algorithm
create an integer field in the databse userLoggedInCount
On each login increment that flag and store the result in the session.
On each request check the value in the database and the one in the session, and if the one in the session is less than the one in the DB, invalidate() the session and decrement the value in the database
whenever a session is destroyed decrement the value as well
Credits to Bozho because he posted this, answering to a question
here
Keep a central database table or text file of who is logged in at the moment. If a user is already logged in in another session, invalidate that session by setting the "logged in" flag to false.
I think you'd have to do something like that :
add a "last_session_id" column to your user table
when a user logs in, update its last_session_id field with its current session id
on each page, if the user has an authenticated session, check if the session id is equal to the one recorded in your database. If not, destroy this session.
Store session id in the database. retrieve last login session id from db, set session id using session_id(oldid) and change session variables related to authentication like $_SESSION['LOGIN']
and destroy the session and create new session with new session id. follow example for logic https://www.php.net/manual/en/function.session-create-id.php.
this will make the last login allowed. validate on each page session variables related authentication. this makes it session invalid because of this session_id reset by a new login.
Save users' IP=>SESSION_ID pairs in a database. When user try to load your page you must compare the actual IP=>SESSION_ID pair then allow/deny if the pair is ok/different.
I have a couple of domains which i want to shere sessions.
I have created a method like this:
The user login is done in a central place and the sessions are saved in the database.
Lets say the user A wants to go to abc.com domain. My app redirects it to the main authentication domain where he logs in.
After login is generated an auth token which is saved in a field in the sessions table and it is pass back to the abc.com application.
There I use the auth_token to get the session_id from the database and to set the session_id of abc.com the same.
The problem is that it allways creates a new session.
This is my code of the abc.com
$sessionId = // get from the database using the auth_token.
/* CLOSE PREVIOUS SESSION */
session_destroy();
// sets the new id.
session_id($sessionId);
/** start new session * */
session_start();
What i am missing?.
I am using php with Symfony framework. Dont know if it´s related with symfony session handling.
Ok. I solved my problem.
I had to delete the old session cookie after calling session_destroy().
Here is my full code if someone is interested:
$sessionId = // get session id from the database using the auth_token
session_destroy();
$this->getResponse()->setCookie('mycookie',null,time()-3600);
session_id($sessionId);
/** start new session * */
session_start();
$this->getResponse()->setCookie('mycookie', $sessionId,null,null,'mydomain');
Thanks everyone for the help.
So I currently store a token and user ID whenever a user logs in. The token is stored in the user table and in a COOKIE.
So user 1 logs in and the following details is stored in a COOKIE and database on his
computer:
id
randomly generated token
whenever he logs in a different token is generated.
To authenticate the user, everytime he accesses my site, I check to see if the token matches with that stored in the database for the specific cookie.
But the problem is that constantly checking the database is a waste of resources but how do we make sure that user is who they say they are? I can't just store his ID in a cookie because he could easily change the ID and get access to another user's information.
thanks!
Could you use a $_SESSION variable such as: $_SESSION['id'] = $randomstring;
Then at the top of each page check if the variable is set:
<?php if(isset($_SESSION['id'])) $loggedin;
else $logout;
?>
Use session_start() which handles the logistics of checking the cookie and validating that the data is actually for that user's session.
You have to start the session before you can use $_SESSION but that's one way to store session data.
http://php.net/manual/en/function.session-start.php