Hi, I have one site having a login feature ,what i want is that if a user is logged in to his account from one computer ,and then again if he logs into his same account at the same time from another computer he should be logged out of the computer which he logged in in the first instance .Any idea how to implement it will be great .
+2
A:
You need to store your session in a database. There you can have a table containing session(session_id, username, session_data). session_id and session_data are self explaining. You use the "username" field to store the name of the logged in user. If the user logs in again from a different computer you can easily query that table and remove the duplicate session.
There are lots of implementations for database backed session handling in PHP available on the net.
halfdan
2010-09-21 12:54:56
so it means that i should be running a background process to see if the database value has changed or is there any other way to notify the first computer that it should query the database to see if the session for the first computer should be destroyed ?
pcraft
2010-09-21 12:59:08
thanks for your help .
pcraft
2010-09-21 13:00:24
Your login logic checks if there already is an entry in the session table. If there is you just remove the entry. The session is then invalidated if the user moves back to his first computer.
halfdan
2010-09-21 13:00:52
so the session is removed but how would the first computer will know that the session is invalidated ?
pcraft
2010-09-21 13:03:57
It will send the session_id from it's cookie, you deleted the session_data so php will create a new session automatically. The computer doesn't _need_ to know that it's invalidated, it just is.
halfdan
2010-09-21 13:09:37
+1
A:
Assuming you're using cookie-based sessions, your best bet is probably to keep track of the last active session ID per user. This way, when the user logs in from a different computer, the last active session ID gets updated, and when (s)he tries to continue on the previous session, you can catch this and end the old session.
tdammers
2010-09-21 12:55:54
And how would you compare two sessions? Using file based sessions you don't have access to the actual session data of a second session, so you can't compare which session was updated.
halfdan
2010-09-21 12:57:34
" and when (s)he tries to continue on the previous session" but what i want is that it should not depend on the user trying to continue but asynchronously if the user comes back to the first computer which he logged into the first moment then he should have a popup saying him to log him again .Please let me know if i am making sense .
pcraft
2010-09-21 13:08:04
Functionally speaking, it's the same thing. Whether or not your old session stays lingering around (until it times out) isn't really relevant as long as the user cannot access it anymore. You can't delete a cookie from the user's computer without the user sending a request to your server.
tdammers
2010-09-21 13:09:45
so is there any best practice for the ajax request call ...may be on certain time intervals or a background process or anything that can be called to see if the previous session is invalidated ?
pcraft
2010-09-21 14:10:44
What I'm trying to explain is that you don't need to do anything fancy. When a second session is started, the first session becomes inaccessible. The next time the user tries to do anything on the first session - a postback, an ajax call, a fresh page load, whatever - the server will pop an error message, prompting for a new login.
tdammers
2010-09-22 10:51:10
@halfdan: You just compare the session IDs. You do need to make sure a new session ID is generated each time a user changes authorization level (i.e., logs in or out), but that's general best practice anyway.
tdammers
2010-09-22 10:53:34
You can't compare any session IDs. There's no way to get more than one session ID. Give a code example if you have one.
halfdan
2010-09-22 11:20:06
1. User logs in from machine A. Application generates new session ID and stores it in its database as the 'current' session ID for this user. 2. User logs in from machine B. Application generates a new session ID and stores it as the 'current' session ID. 3. User goes back to machine A and tries to do something, sending the session ID stored on that machine. Application compares the requested session ID against the 'current' session ID in the database, detects they are not equal, and logs the user out, clearing the old session and generating a new ID.
tdammers
2010-09-22 21:11:50