Tommy Pham wrote:

> 1) Set an encrypted (to prevent hijacking and eavesdropping) cookie to
> expire when browser closes
> 2) Have a table in the DB backend to keep track if the user is logged in or
> not and when was the last time the validated user access your site (this
> gets updated when the user visit a link on your site by checking the cookie
> and the DB entry of the session ID)
> 3) Set your session timeout accordingly to you security requirement
> 4) Have a javascript on a timeout to self-logoff should the user is AFK
> longer than your session timeout.
> If another user or if the same user tries to login with a different browser,
> you can check the status of the user.  If the user is logged in, you can
> deny it after the authentication.  Should the user closes the browser
> without having to logoff, you can check when was the last time the user
> accessed your site and see if it's been longer than your session timeout.
> For security purposes, you can optionally send a courtesy email notifying
> that the user didn't logout properly since last accessed.  This way, you can
> track whether if the user's system is compromised in some way or not.  It
> all depends on what kind of application, service, user level access, and the
> strict security you require.

Thanks Tommy.  That was very helpful, and some of it is similar to how I
was thinking of doing it.


PHP General Mailing List (
To unsubscribe, visit:

Reply via email to