ajoo

elseif (user has logged in elsewhere){ echo 'you've been booted message'; echo 'you've been booted message'; } //up to here it is pretty much just regular.php // ALREADY PROBLEMETIC. If i am logged in on Tab A and then on Tab B of the same browser, then the above message is shown on Tab B, the current session Tab and not on Tab A session. So the hurdle occurs here. If a way could be achieved to communicate with Tab A from Tab B the problem would have been solved. Both sessions become the same on refresh. It also occurred to me that would it not help to set the session_start in login.php ONLY AFTER first searching for the active sessions? In that case there would be only one session active, the old one, which should be ejected and destroyed before we INSERT the new session wid status 'A' and set that session. I dare say I tried that but could not get it to work. I have actually tried so many things during the day. I spent a whole Sunday on this. lol ! Maybe this can trigger some ideas for you. I am relatively new to php and sessions and the info on sessions is so varied and obfuscated on the net. I am very confused. Maybe a fresh start on a fresh day would do the trick. Still I seek your help and direction, Thanks loads.

When I read your reply above to the I thought that maybe it gave you some clue to dealing with logins on multiple tabs. Thats what i thought I could make out from your reply. I too have this feeling that using session_regenerate_id can somehow help in solving this issue. Can Ajax be used to solve this out ? Another sequence I had in mind was that if on the login page, 1. Check to see if there exists an open session. If no match found then the user has no previous session goto regular.php. 3. If a match is found then an existing session is open so goto page eject_existing_session.php where session is unset & destroyed & a metatag refreshes the page after say 2 seconds and then goes back to the login page to continue with the login. The problem is that in this case when it comes back to the login page it waits again for the user input to login. I also thought that though it can be worked out it was not very elegant. Still looking for more inputs on this. Thanks.

Hi guys, I have been going nuts over this trying to crack the login issue on two tabs of the same browser, getting the 2nd login to kick the user out of the 1st session. I have tried the database thingy, where i used the timestamp. Today I have also gone thru the new mails and discussions by the two active members here as well and tried to implement the session_regenerate_id(true) to invalidate the previous session but to no avail. The problem is that I am unable to find a suitable replacement of this following bit of code in regular.php if ($sessions['status']=='X') { echo 'you were booted'; die('too bad'); } The hurdle is ( even with session_regenerate_id(true)) that the sessions ID of the previous session (say A) also reverts to become the same current session ID (say B)in the new login tab. What i mean is that after a refresh because of the Metatabs, session ID of Tab A = session ID of Tab B. This goes for all $_SESSION variables. Since a code executing is same in both the browsers there is no way that i can think of to check for a unique session in each Tab because the session values have all changed to become the same in both the sessions , equal to those of session in Tab B. I wish I cud put in some screen shots here of the database as well as the tabs but I am unable to add an image to this reply. The database works correct and I have also incorporated a clean up. Each login first checks to see if a previous session is active, removes the entry, unsets the session and then tries to login into a new session but ofcourse and alas it fails there. Please explain if i am missing something and kindly elaborate the use of session_regenerate_Id in this context. Why is session_regenerate_id(true) not destroying the previous session like its says so on many forums on the net. Awaiting your response, Thanks Loads,

Hi david, Firstly Thanks so much on this issue. I have an application that runs an embedded flash movie which runs from start to end. In that embedded movie, there is no way to get back,. However if the user is logged in in more than one tabs / browsers / windows then they can run thru the movie in each of those tabs. So its important that the application is running in only one tabs / browsers / windows. Otherwise there are chances of the application being misused. In case you find something on preventing multiple logins in the same browser tabs then i'll be happy to know it. Thanks again for your help.

This is especially required for an application that proceeds uni-linearly from the beginning to the end, like the example I quoted of a test. Say if the objective type test was to proceed from the beginning to the end with no way to go backwards, then the 'n' open tabs would be a must for subsequent users to also be able to complete the test once each. If the result of the test is not important, but just to go thru it once, then those 'n' open tabs would allow the users go thru the test and thats what i would like to prevent. I hope I said that correct and would be fathomable. (In fact i am actually working on one such uni lateral test that proceeds one way.) Thanks to you all. More discussion is most welcome!

Hi seandisanti, could you please rephrase what you just said because I am not sure I could make out what you intended to say. I have read the reply a number of times and could only partly understand it. Please do rephrase with an example if possible. How can i check for active sessions in the header? Thanks.

Hi david. the reason i wud not want someone to be logged into a website on two or 'n' tabs simultaneously would be to prevent them to use a service which is otherwise intended for only one user. So while some one opens 'n' tabs and may allow n people to use that service and then logout after all have used it. For eg I may have a website that offers objective type tests, intended for one person but which may be misused like this by many persons. Maybe not letting a logged in user login again is a better option after all. Anyways this was a great exercise and I learnt a lot. Still if you find some method of dealing with the tabs I would be happy to hear about that. Thanks loads !

Hi david, Ok After I wrote my reply and then read yours again , I tried the code on two different browsers on the same machine and wow ! it worked. Just like u said. I tried it on chrome and explorer. So please tell me why does it not work on the two different tabs of the same browser? What would I need do to to make it work on the tabs of the same browser. Thanks loads.

Hi david, good morning. I am using google chrome alone and i am using two different tabs to login. I did change the code just a bit. I used unset to unset the id before i destroyed the session. Thats about the only change i made. Yes i am testing only in chrome by using two tabs. Does that have anything to so with this? If you want to I can paste the two files for you to have a look. Thanks.

Hi david, I am back and i must say i am surprised with the result of the meta statements that I added to the code. Basically a manual refresh would have done the same thing. However, the results in both cases , manual refresh or meta statements is the same and as expected it does NOT logout the user's previous sessions BUT instead changes the session id of the previous sessions to the current one ( active one wid status 'A' ) in the database. Thus the eviction still does not occour. The surprising thing is that the session id which is supposed to be unique to a session changes to the same in all the previous sessions. I did check that session id's are different when the user logs in and change to become the same only after the Meta statements refresh the page. I have gone thru the code but fail to understand why the session_id changes to the one in the currently active browser page. Please help. Thanks.

Hi, Thanks david for the response. I am going to try first the meta tags in the header and will revert. Wish you had given me something on Ajax for the refreshing of the page and I would have checked that one out as well but I'll search it on google and revert. Once this is done I'd like to discuss some more regarding the cleaning up of the database. Thanks.

Hi david. Thanks for the revert. Though I have not tried it, but i am quite certain that a manual refresh would cause the page of the previous sessions to display the "you have been booted" message. Though I don't understand the cache bit that you mentioned. In fact the only thing that's needed in this problem is as you have suggested that there should be some routine which would periodically check the database, something like an interrupts in java or c or Ajax as you have mentioned here. Can you please elaborate on the Ajax bit. I am very new to PHP and have zero knowledge of Ajax as i have not needed it till now. So if you give me some pointers to it maybe then i'll try and implement the full logic. Maybe a tutorial on Ajax that implements these "periodic checks". And if its not too complex, a small bit of code to do just that. Again about refresh metatags or javascript I have no idea. please shed some light on their usage as well. I feel its important to log out of the previous sessions when the user attempts a fresh login. A user can forget to logout of a session and then maybe logs in at another place. He may not go back to the old machine that day and so there would be no one to refresh that page to get a final logout and so a clean up of the database where logins status is stored will not occour. I want to do a clean up of the database when i logout a user from a previous session so that this login database may not become too large. Would it be a good idea to delete the records that have been marked "X" and are therefore in the "booted" status? Since this particular logic provide the "id" as the row number, deleting rows can cause a mix up of values thereby rendering the "id" not unique. Just a thought. Looking forward to some more discussion and help. Thanks loads.

Hi all, OK here i am with the results of my experiments with the code for a login system which boots out any previous and running sessions by a given ( particular) user, thus effectively disallowing a multilogin by a single user. So anytime a user forgets to logout and logs back in again at the same or new machine, the previous sessions are to be closed and destroyed and the user gets to login from whereever he's logging in once again. At least thats what I am trying to achieve and I appreciate the help of so many senior members here. Attached please find a snapshot of my computer screen which show the above not happening. The code suggested by david works in the database all right as can be seen from the snapshot. Also you can see that I have been able to login on 3 pages on the same machine. David gave two files one for login which i renamed as status.php and one regular.php which I assumed was the page to be displayed on successful login. The regular.php is supposed to evict an already logged user if he logs in a second time from any other machine. However one look at the regular.php shows that it simply checks the status field and if its been changed to 'X' indicating a previously active session, it is supposed to simply echo that the user has been booted. This part of the code however never gets to execute and so this eviction message " you were booted" is never displayed. I think thats because the regular pages have already run their length in the previous sessions. Its here that the new active session some how has to communicate with previous sessions and trigger / refresh the page code once again and then actually destroy the old session evicting the user in the previous page and displaying the message. How is this triggering / refreshing of the browser in the previous session to be achieved. I guess the problem has still not really been solved. Or maybe I am missing something here or are too much of a newbie to get the drift of the experts. A little more help with actual code would feel great! Thanks all. Looking forward to a finally a complete solution to this one. I hope this would help other new comers like me. ( I am unable to paste the snapshot of my run of the program. If someone can tell me how i may achieve that I'll paste it the next time round ).

The problem still remains that which set of commands would target the first session on say computer1 to terminate it while the same user is trying to logon from computer 2 without having logged off from the first machine. The program is idle an computer1 and the code is being executed on machine 2. How then would that code on machine 2 trigger code on machine 1 to log out from there ? Can you please try and demonstrate with some actual code? At least a pointer. Thanks.

Hi david, Just by looking at the code, because i tried something like this, I feel that this would logout from the second session and not the first session. So it would probably not allow a second login. Where as what I am trying to achieve is that the 2nd login occurs destroying the first. Isn't there any function that allows the sessions to be destroyed by name. for eg. If i have jack logged in at time = t1 and then jack logs in again at a later date t2, is there no function which can identify and then logout jack at t1 with a message appearing on the screen of Jack at t1. ( session 1) In case i am missing something that you suggested then kindly rephrase it for me. Thanks all.

Hi. Thanks all for their replies. I am surprised to find that my last reply to this post here is missing and so I'll repost that with a new question. Firstly I tried all the advise by Mac and it all worked great. I used that and now have a login system that prevents multiple login by the same person twice. So thanks for that. I guess to have it working in a real system I would need to use a database as suggested by David. Once i do that I'll post my results here again. I am not aware of the token system suggested by jcbones but i'll explore that too. If you could provide me wid some more information on tokens or a reference site I'll be happy. So now my system works with a small hitch. Like I mentioned that I would like the user to get logged out of the first session once he logs in the second time from the same or new machine. With my code and help from you all what i have achieved is the prevention of the second login. I'ld be grateful if someone can suggest how I might be able to ensure that the 1st session of the user is terminted when he logs into the sytem a second tme. This should be somewhat like a yahoo chat login system which logs out the user with a message which says that the user has been logged out because he has logged in from another machine, once the second login by the same user occours. Thanks loads.

Ok thanks again sir. I'll revert with the findings again. Well for all practical purposes I just need to make that change in index.php. Thanks. Any other suggestions are most welcome.

Thanks for the advise. I'll look into it and revert with the outcome. Is there any way that i can make the program to pause for a few seconds after the echo commands to be able to check the program flow for debugging purposes? Thanks again. Ok I have just made the changes with the exit(); at the appropriate places as you advised and reran the login to be met with the same results. However if you can suggest some way for me to pause the program and check the output of the echo commands, it may give me a great insight into the program and thus maybe an approach to the solution. Eagerly awaiting a reply to this and thanks all.

Hi all, I have another problem associated with logins using sessions and stuff. On my machine I have Apache and mysql installed. The browser I use is Google Chrome. Everything is working fine. There is a very simple login system which, like all login systems, has a ID and password field. The user has to fill in the ID and password and these are checked against a database and the user is logged in. However before the ID and password are checked, the code checks if the $_session variable is set to and if it is it declares that the user is logged in and redirects the user to a secure page. There the user sees a personalised message and can logout. This is what is desired but this is not happening. Find below the code. There are 5 files namely 1. index.php, 2. loginproc.php 3. securedpage.php 4. logout.php and 5. config.inc In the file INDEX.PHP,is the following bit of code ///////////////// CODE NEVER TRAVERSED ///////////////////// RED RED RED ////////////// // Check, if user is already login, then jump to secured page if (isset($_SESSION['username'])) { echo $_SESSION['username']. "Already Logged in @ index 8"; echo " You are being logged out as you have logged in from another page "; session_destroy(); header('Location: index.php'); ///////////////// CODE NEVER TRAVERSED ///////////////////// RED RED RED ////////////// which never gets executed and I wonder why. These lines check at the outset if the user is logged in. If he is logged in and an attempt is made to login again these lines should be executed terminating the first session or at least that's what I want but for some baffling reason that does not occur. I try and create that scenario as follows. I log into the system once thru google chrome. Then i use another tab to login using the same ID and password. And to my surprise i am logged in and reach the secured page again. So I then have 2 logins on 2 different browser pages by the same ID and in both browsers the secured page is displayed. What I am trying is ofcourse that once a person is logged in and another login attempt is made, the first session be destroyed and a notification to that displayed on the first logged in browser page. I am unable to see where the mistake lies. I would be most grateful for any help and suggestions. Thanks all. <?php ///////// INDEX.PHP ///////////////////// // Inialize session session_start(); ///////////////// CODE NEVER TRAVERSED ///////////////////// RED RED RED ////////////// // Check, if user is already login, then jump to secured page if (isset($_SESSION['username'])) { echo $_SESSION['username']. "Already Logged in @ index 8"; echo " You are being logged out as you have logged in from another page "; session_destroy(); header('Location: index.php'); ///////////////// CODE NEVER TRAVERSED ///////////////////// RED RED RED ////////////// } else { echo " Hi new user ";} if (isset($_SESSION['username'])) {echo $_SESSION['username']."Already Logged in @ index 14";} ?> <html> <head> <title>PHPMySimpleLogin 0.3</title> </head> <body> <h3>User Login</h3> <table border="0"> <form method="POST" action="loginproc.php"> <tr><td>Username</td><td>:</td><td><input type="text" name="username" size="20"></td></tr> <tr><td>Password</td><td>:</td><td><input type="password" name="password" size="20"></td></tr> <tr><td> </td><td> </td><td><input type="submit" value="Login"></td></tr> </form> </table> </body> </html> <?php ///////// LOGINPROC.PHP //////////// // Inialize session session_start(); // Include database connection settings include('config.inc'); // Retrieve username and password from database according to user's input $login = mysql_query("SELECT * FROM members WHERE (Username = '" . mysql_real_escape_string($_POST['username']) . "') and (Password = '" . mysql_real_escape_string($_POST['password']) . "')"); echo " Login = $login"; // Check username and password match if (mysql_num_rows($login) == 1) { // Set username session variable echo " Ok Hi there - Welcome "; $_SESSION['username'] = $_POST['username']; // Jump to secured page header('Location: securedpage.php'); } else { // Jump to login page echo " Can't find you"; //header('Location: index.php'); } ?> <?php /////////////////// SECURED PAGE //////////////////// // Inialize session session_start(); // Check, if username session is NOT set then this page will jump to login page if (!isset($_SESSION['username'])) { header('Location: index.php'); } else { echo " Welcome". $_SESSION['username']; } ?> <html> <head> <title>Secured Page</title> </head> <body> <p>This is secured page with session: <b><?php echo $_SESSION['username']; ?></b> <br>You can put your restricted information here.</p> <p><a href="logout.php">Logout</a></p> </body> </html> This is content of ‘logout.php’: <? <?php /////////// LOGOUT. PHP /////////////////// // Inialize session session_start(); // Delete certain session unset($_SESSION['username']); // Delete all session variables session_destroy(); // Jump to login page header('Location: index.php'); ?> <?php ////CONFIG.INC ///////////////// $hostname = 'localhost'; // Your MySQL hostname. Usualy named as 'localhost', so you're NOT necessary to change this even this script has already online on the internet. $dbname = 'test'; // Your database name. $username = 'root'; // Your database username. $password = ''; // Your database password. If your database has no password, leave it empty. // Let's connect to host mysql_connect($hostname, $username, $password) or DIE('Connection to host is failed, perhaps the service is down!'); // Select the database mysql_select_db($dbname) or DIE('Database name is not available!'); ?>