preventing double login

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
cloud_monster
Forum Newbie
Posts: 1
Joined: Sun May 06, 2007 11:57 am

preventing double login

Post by cloud_monster »

at my school they have this thing where you cannot log into two systems using the same username at the same time. how do i do this with php? i have created a login system but i can't think of a good way of how to do this. and also how do i end sessions/automatically sign out if there has been no activity for a certain amount of time (like how bank websites do)? what can i do about people who don't log out, but just close their browser window? any help is appreciated
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Re: preventing double login

Post by Chris Corbyn »

cloud_monster wrote:at my school they have this thing where you cannot log into two systems using the same username at the same time. how do i do this with php? i have created a login system but i can't think of a good way of how to do this. and also how do i end sessions/automatically sign out if there has been no activity for a certain amount of time (like how bank websites do)? what can i do about people who don't log out, but just close their browser window? any help is appreciated
session_set_save_handler().

Basically you use a database to deal with sessions and you delete the session (a row in the database) if the user logs into another machine.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

I'm still a proponent of the 'other way'.. Instead of expiring sessions after a while (and doing wild guesses about the time which they should be logged out) i find it better to allow the user to start a new session whenever they want (but expire their previous sessions)...

This way they can always logon (no need to wait untill their previous session has expired) and they can have only one session at a time because previous ones become invalid once they've acquired a new one...
Post Reply