I'm writing a web-app (logbook) that is driving me nuts. I hope somebody here can shed some light on.
Here is a scenario of my problem:
User #1 logs in and makes an entry in the logbook. When finished, he does not logout, but leaves browser open.
User #2 sits down immediatly as User #1 gets up. Opens up another browser, logs in and makes his entry. He properly logs out and closes his browser out like a good security-minded employee.
PROBLEM:
When User #1 sits back down after User #2 gets done, and refreshes his screen, his login information changes from his login to User #2's login. The only way around this is to logoff User #2, close all browsers, and re-log back in.
The only thing I can think of is to have a timeout on the session. But this doesn't help much if the users leave multiple browsers windows open, even if they close out their logbook. Plus, users tend to not hit any kind of "logoff" button, which would properly terminate the session. Most just close the browser which should terminate the session, but if users have multiple browsers open at the same time, I believe the session remains active, even though the logbook was closed.
My QUESTION:
How do I enable multiple users, to login successfully, using the same computer, and keep them both seperated in the app at the same time?
Does any of this make sense? I hope somebody can help me.
Scott
Cookie? Session? users on same PC
Moderator: General Moderators
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
There's something weird happening in your sessions. Since the user's are on the same PC (the main problem) you can limit the session lifetime so it expires and a user needs to login again. Usually this is a separate check of current time against last request time (anything over the limit triggers a call to session_destroy()).
Thing here is to force a logout quickly once a user's activity has stopped.
Thing here is to force a logout quickly once a user's activity has stopped.
-
dacoolthings
- Forum Newbie
- Posts: 2
- Joined: Wed Dec 13, 2006 9:48 pm
Kill the session cookie on the client side and server side.
When user performs logout action, Make sure to kill the cookie on Server side and Client side.
Create the cookie as non-persistent cookie, which means do not store the cookie on user's hard disk. If you store the cookie on user's hard disk, all the browser windows will pickup the same cookie.
Thanks
Find more web information security at http://www.webinfosec.com
Create the cookie as non-persistent cookie, which means do not store the cookie on user's hard disk. If you store the cookie on user's hard disk, all the browser windows will pickup the same cookie.
Thanks
Find more web information security at http://www.webinfosec.com