Tommy Pham wrote:
> 1) Set an encrypted (to prevent hijacking and eavesdropping) cookie to
> expire when browser closes
> 2) Have a table in the DB backend to keep track if the user is logged in or
> not and when was the last time the validated user access your site (this
> gets updated when the user visit a link on your site by checking the cookie
> and the DB entry of the session ID)
> 3) Set your session timeout accordingly to you security requirement
> longer than your session timeout.
> If another user or if the same user tries to login with a different browser,
> you can check the status of the user. If the user is logged in, you can
> deny it after the authentication. Should the user closes the browser
> without having to logoff, you can check when was the last time the user
> accessed your site and see if it's been longer than your session timeout.
> For security purposes, you can optionally send a courtesy email notifying
> that the user didn't logout properly since last accessed. This way, you can
> track whether if the user's system is compromised in some way or not. It
> all depends on what kind of application, service, user level access, and the
> strict security you require.
Thanks Tommy. That was very helpful, and some of it is similar to how I
was thinking of doing it.
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php