From: Robert Cummings

> Bob McConnell wrote:
>> Web servers can only identify computers, not users. You will need
>> something else to track which user started a specific application on
>> particular computer, probably a fingerprint scanner next to the
>> keyboard. But that won't prevent someone else from replacing the
>> between the keyboard and the chair after they log in. Plus, it is
>> unlikely that will be useful in a true multi-user environment. There
>> simply too many possible ways to get around your restrictions.
> Isn't it simple to associate a single session ID with a username? User

> logs in, place username and session ID in active users table and 
> invalidate any others for same user. When user accesses page check 
> session ID against entry in active users table. Richard Quadling has
> right. This is not complicated, but it sounds like people are making
> so. The user identified themselves via login.

>From the series of questions he asked, it was not clear to me what he
was trying to do. It sounded like he wanted to allow a user to access a
single session simultaneously via multiple browsers, yet not allow
another person to hijack that session even if both were using the same
computer. Somehow I don't think all of that is a reasonable requirement.

Actually, I believe that linking a session to a specific individual
without reading a biometric key with every http request is an
unacceptable risk. And no, I don't do any banking online.

Bob McConnell

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to