black.horizons Posted May 23, 2009 Share Posted May 23, 2009 Hi guys, I've been racking my brains on this one...just trying to figure out how to enable multi simultaneous logins like Google Accounts manages to do. I've also trying to understand how non session based login works...any thoughts on this is/should be done? Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted May 23, 2009 Share Posted May 23, 2009 I've been racking my brains on this one...just trying to figure out how to enable multi simultaneous logins like Google Accounts manages to do. You'll have to elaborate on what exactly you mean. You can't rely on other people's knowledge of any arbitrary system. I've also trying to understand how non session based login works...any thoughts on this is/should be done? I don't see how you could pull that off seeing as HTTP is stateless. Well, strictly speaking you don't have to use PHP's support for sessions and you could use cookies, but considering PHP's sessions are implemented on top of cookies, it's still essentially the same thing. Quote Link to comment Share on other sites More sharing options...
DarkSuperHero Posted May 23, 2009 Share Posted May 23, 2009 would it be possible to set a cookie avaiable across multiple domains when you set the domain option? eg: cookie is created by xy.com with a domain parameter of yz.com ....would that work...? Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted May 23, 2009 Share Posted May 23, 2009 No, browsers employ a same-origin policy to prevent exactly that scenario. Otherwise badsite.com would be able to read the cookies set for goodsite.com. Quote Link to comment Share on other sites More sharing options...
waynew Posted May 23, 2009 Share Posted May 23, 2009 Plus cookies can't really be relied on. I think you're going about this the wrong way. Don't try and use something instead of sessions. Use sessions to MANAGE what accounts they're logged into. Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted May 23, 2009 Share Posted May 23, 2009 Well, cookies can't be relied on in the same way that the keys to your doors can't be relied on to protect you from burglary. Whenever someone has the keys/cookies they have access to whatever the keys/cookies grant access to. Cookies are merely a way of persisting data across multiple requests. Sessions are a layer on top of the cookies. Quote Link to comment Share on other sites More sharing options...
black.horizons Posted May 24, 2009 Author Share Posted May 24, 2009 ok so gmail allows me to login at computer X using Firefox leave that session open and login using IE8 - and the two sessions can work simultaneously. i can then also use computer Y to login at the same time and the sessions still work!! Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted May 24, 2009 Share Posted May 24, 2009 And how are you having trouble implementing that? It's fairly straightforward. Store the user ID using sessions. Fetch the user from the database that corresponds to the ID. If the ID is not set the user is logged out. Quote Link to comment Share on other sites More sharing options...
jackpf Posted May 24, 2009 Share Posted May 24, 2009 Doesn't this happen by default? I'd have thought that you actually have to do something to prevent this. Enabling it requires nothing. Just check user info against the database. If it's correct, log them it. That has nothing restricting them from logging in on multiple PCs. Quote Link to comment Share on other sites More sharing options...
black.horizons Posted May 24, 2009 Author Share Posted May 24, 2009 i just didnt think that was a particularly secure way of going about it. storing a user id in a session? i use a md5 hash in the session and look that up in the db - if they match then user is logged in. maybe im wrong about the secure thing? Quote Link to comment Share on other sites More sharing options...
waynew Posted May 24, 2009 Share Posted May 24, 2009 There is a security concern with sessions if you're on a shared-server. The solution to that potential security concern is to store user sessions in a MySQL database. Cookies can help strengthen your application's security. For example: //user login details were correct - give them details $_SESSION['user_id'] = $user_id; setcookie('user_id',$user_id); Then on another page you could do this: $logged_in = false; //by defaults if(isset($_SESSION['user_id']) && isset($_COOKIE['user_id']) && $_SESSION['user_id'] == $_COOKIE['user_id']){ $logged_in = true; //user is logged in } If you want you could also use a session fingerprint. $_SESSION['fingerprint'] = sha1($_SERVER['HTTP_USER_AGENT'].$user_id."32hdy!"); Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted May 24, 2009 Share Posted May 24, 2009 //user login details were correct - give them details $_SESSION['user_id'] = $user_id; setcookie('user_id',$user_id); You needn't set a cookie as well. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.