Session controling

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
aibanez
Forum Newbie
Posts: 4
Joined: Wed Jan 14, 2009 4:29 pm

Session controling

Post by aibanez »

I have using Moodle PHP-MySQL in a shared host service, I want to control (if exist a way to do it) when a user Loogs-in into mooodle verify if the same user has an existing session from a different IP. If the user has other session active from a different IP the other session will be terminated. In other words I want to control that one specific user can sig-in from a unique ip address simultaneously.

I'm not an expert PHP programmer.

Than you in advance

Cheers!!!
User avatar
novice4eva
Forum Contributor
Posts: 327
Joined: Thu Mar 29, 2007 3:48 am
Location: Nepal

Re: Session controling

Post by novice4eva »

You would have to have a table that stores : 1) the user id that identifies the user 2) the session id of the user logged in 3) time of log in.
you would need to invoke a function in each of your php file, this function will basically check if same user id exists for multiple times with different session id and then if it does, destroy the session using session_destroy function of the user with the newer date(or even block him/her at login). I seem to have excluded the ip part, IP can change(but you can use it if it is a intranet setup and people don;t fiddle with IPs :) ) and this can be achieved without involving IP too.

This has a drawback though, sometimes users will not LOG OUT(then you will flush the table contents) but just close the window and leave, that would cause big problem coz then the user will not be allowed to log back! There is a temporary solution for this too, but it's not a robust solution. This issue is discussed here viewtopic.php?f=1&t=90176&hilit=+session
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Session controling

Post by kaisellgren »

aibanez wrote:I'm not an expert PHP programmer.
I think you need intermediate PHP & SQL skills to achieve what you need.
aibanez wrote:I want to control (if exist a way to do it) when a user Loogs-in into mooodle verify if the same user has an existing session from a different IP. If the user has other session active from a different IP the other session will be terminated.
Upon a successful logon, check for previous sessions from this user ID and delete them. You do not need to check whether it's old session if you first remove all sessions from this particular user and after that then create this new session.
Post Reply