One User -> Multiple Simultaneous Logins

[black.horizons]

Hi guys,

 

I've been racking my brains on this one...just trying to figure out how to enable multi simultaneous logins like Google Accounts manages to do.

 

I've also trying to understand how non session based login works...any thoughts on this is/should be done?

[Daniel0]

I've been racking my brains on this one...just trying to figure out how to enable multi simultaneous logins like Google Accounts manages to do.

 

You'll have to elaborate on what exactly you mean. You can't rely on other people's knowledge of any arbitrary system.

 

I've also trying to understand how non session based login works...any thoughts on this is/should be done?

 

I don't see how you could pull that off seeing as HTTP is stateless. Well, strictly speaking you don't have to use PHP's support for sessions and you could use cookies, but considering PHP's sessions are implemented on top of cookies, it's still essentially the same thing.

[DarkSuperHero]

would it be possible to set a cookie avaiable across multiple domains when you set the domain option?

 

eg: cookie is created by xy.com with a domain parameter of yz.com ....would that work...?

[Daniel0]

No, browsers employ a same-origin policy to prevent exactly that scenario. Otherwise badsite.com would be able to read the cookies set for goodsite.com.

[waynew]

Plus cookies can't really be relied on. I think you're going about this the wrong way. Don't try and use something instead of sessions. Use sessions to MANAGE what accounts they're logged into.

[Daniel0]

Well, cookies can't be relied on in the same way that the keys to your doors can't be relied on to protect you from burglary. Whenever someone has the keys/cookies they have access to whatever the keys/cookies grant access to. Cookies are merely a way of persisting data across multiple requests. Sessions are a layer on top of the cookies.

[black.horizons]

ok so gmail allows me to login at computer X using Firefox leave that session open and login using IE8 - and the two sessions can work simultaneously.

 

i can then also use computer Y to login at the same time and the sessions still work!!

[Daniel0]

And how are you having trouble implementing that? It's fairly straightforward. Store the user ID using sessions. Fetch the user from the database that corresponds to the ID. If the ID is not set the user is logged out.

[jackpf]

Doesn't this happen by default?

 

I'd have thought that you actually have to do something to prevent this. Enabling it requires nothing. Just check user info against the database. If it's correct, log them it. That has nothing restricting them from logging in on multiple PCs.

[black.horizons]

i just didnt think that was a particularly secure way of going about it. storing a user id in a session? i use a md5 hash in the session and look that up in the db - if they match then user is logged in.

 

maybe im wrong about the secure thing?

[waynew]

There is a security concern with sessions if you're on a shared-server. The solution to that potential security concern is to store user sessions in a MySQL database.

 

Cookies can help strengthen your application's security. For example:

 

//user login details were correct - give them details
$_SESSION['user_id'] = $user_id;
setcookie('user_id',$user_id);

 

Then on another page you could do this:

 

$logged_in = false; //by defaults
if(isset($_SESSION['user_id']) && isset($_COOKIE['user_id']) && $_SESSION['user_id'] == $_COOKIE['user_id']){
      $logged_in = true; //user is logged in
}

 

If you want you could also use a session fingerprint.

 

$_SESSION['fingerprint'] = sha1($_SERVER['HTTP_USER_AGENT'].$user_id."32hdy!");

 

[Daniel0]

//user login details were correct - give them details
$_SESSION['user_id'] = $user_id;
setcookie('user_id',$user_id);

 

You needn't set a cookie as well.