> -----Original Message-----
> From: James Colannino [mailto:ja...@colannino.org]
> Sent: Tuesday, June 22, 2010 2:29 PM
> To: email@example.com
> Subject: [PHP] Question about logins and locking
> Hey everyone,
> I have a question about logins. Let's say that I want to allow each user
> account to login only once at a time. I would then need some kind of
> mechanism to make sure that the same user can't login again somewhere
> else until first logging off. What's a good way to achieve this? I want
> able to handle situations in which the user closes their browser without
> logging off, where I would want to count that as a logout.
> a query to the database that sets a value when the user logs in and when
> user logs out? I'm just looking for some conceptual ideas.
> Thanks everyone!
1) Set an encrypted (to prevent hijacking and eavesdropping) cookie to
expire when browser closes
2) Have a table in the DB backend to keep track if the user is logged in or
not and when was the last time the validated user access your site (this
gets updated when the user visit a link on your site by checking the cookie
and the DB entry of the session ID)
3) Set your session timeout accordingly to you security requirement
longer than your session timeout.
If another user or if the same user tries to login with a different browser,
you can check the status of the user. If the user is logged in, you can
deny it after the authentication. Should the user closes the browser
without having to logoff, you can check when was the last time the user
accessed your site and see if it's been longer than your session timeout.
For security purposes, you can optionally send a courtesy email notifying
that the user didn't logout properly since last accessed. This way, you can
track whether if the user's system is compromised in some way or not. It
all depends on what kind of application, service, user level access, and the
strict security you require.
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php