Posted: Tue Oct 11, 2005 1:59 pm
Confused (?)
Anyway .. back to this fingerprint idea.
I've implemented the fingerprint so that I store a hash of the session id and a hash of the (password . user_agent). I'm hoping this will give a fairly unique couplet.
My problem is now almost what I started with:
When a user logs out properly the session id and fingerprint hashes are cleared from the database (i.e. user has logged out). However, if the user does not log out properly or their browser crashes, etc. I am left with the data in the database - which makes it look like the user is still logged in.
If I wait for a set period this could mean that the user is simply reading the current web page (and is a bit slow) or they have not logged out correctly. If they continue to use the site they will still have the same hashes (therefore no problem). However, if they do not log out correctly and try to access via another browser, workstation, etc. their hashes will be different.
Do I:
1. Log the user out whenever I receive a "bogus" log in (and request they log in again)?
2. Log the user out only after a set period from last log in (e.g. 5 minutes)?
As I see it, there are pro's and con's for both methods. I would really appreciate any advice here.
Thanks
Anyway .. back to this fingerprint idea.
I've implemented the fingerprint so that I store a hash of the session id and a hash of the (password . user_agent). I'm hoping this will give a fairly unique couplet.
My problem is now almost what I started with:
When a user logs out properly the session id and fingerprint hashes are cleared from the database (i.e. user has logged out). However, if the user does not log out properly or their browser crashes, etc. I am left with the data in the database - which makes it look like the user is still logged in.
If I wait for a set period this could mean that the user is simply reading the current web page (and is a bit slow) or they have not logged out correctly. If they continue to use the site they will still have the same hashes (therefore no problem). However, if they do not log out correctly and try to access via another browser, workstation, etc. their hashes will be different.
Do I:
1. Log the user out whenever I receive a "bogus" log in (and request they log in again)?
2. Log the user out only after a set period from last log in (e.g. 5 minutes)?
As I see it, there are pro's and con's for both methods. I would really appreciate any advice here.
Thanks