Handling user login tokens

Question

So I want users to be able to login from different computers simultaneously. So that means I should allow the user to have multiple tokens. And then I also want the user to be able to login from different browsers on the same computer. So that means I should allow the user to have multiple tokens for same IP. However, it's gonna get messy because eventually I'm going to have alot of tokens for one user!

Any suggestions on strategy of controlling this or am SOL that I would need to do a token clean up for tokens that are not used for say 15 days or so? Sorry, I just want to get it right :)

P.S. I'm doing this with PHP

Answer 1

Not sure what kind of answer you are waiting for, but you might want to use the Session Handling mecanism that comes with PHP, to store the data of your users' sessions.

It's based on a cookie that's used to store the "token" that points to the session -- which means each user can have a distinct session on each one of bots his browsers and computers ; and works pretty fine.

With that, you just have to call session_start() at the beginning of your script, and use $_SESSION in it -- and that's pretty much everything you have to care about : PHP will deal with sessions' expiration itself.

Answer 2

Just use PHP's built-in session controls. It will automatically generate a token for each session, which is saved in a cookie. You can then have a login flag (for example $_SESSION['login']) that you set to true once the use have logged in, and a username or userid variable ($_SESSION['user']) where you can save which user that browser is authenticated as.