Jump to content

Archived

This topic is now archived and is closed to further replies.

inqztve

Advanced login issues

Recommended Posts

I have login system with PHP and MySQL that uses session variable to keep track. My Issue is:

2) How can I auto logout an user from one location if the same user logs in from a difffernt location? i.e. USER A creates a SESSION with sessionID X(say) from location 1. He/she then forgets to logout or close the browser. And the same USER A  tryies to log in from location 2 and creates a session with sessionID Y(say). I want SESSION with ID X be destroyed (so that USER A from location 1 is effectively logged out)  before SESSION with ID Y is created. How I destroy a different SESSION? I store the session id in a database table along with associated userID and if the user is logged in or out. So retrieving previous sessionID associated with a user is available during current login (or SESSION).

In other words can I destroy SESSION with sessionID X while I am in SESSION with sessionID Y?

Share this post


Link to post
Share on other sites
mmm,
If a User closed the window, the session will normally die

U can do it, but it will be heavy
When a user loggs in, store the sess ID in the DB
then on every page load, check the sess_id with what is in the DB
If its not a match, then session_destroy();

Share this post


Link to post
Share on other sites
Hey, thank you for yor reply. I do store the session ID in DB for every session. But, if I use session_destroy() at the beginning of every page when the SESSION IDs don't match then I destroy the current session not the previous session. I want to destroy the previous session if the same user is trying to login again from a different location. It would have been nice if session_destroy() could be called with SESSION ID as agrument. Then I could just call the previous session by that ID and destroy it at during next log in and create a new one. But, unfortunately I can't call session_destroy() by ID.

Share this post


Link to post
Share on other sites
as I said

If the SESS_ID in the DB matches the SESS_ID of the user, then everything is ok
If not then it must be from an old log in, so destroy that one

If I am logged into your website, and I log in again, it will overwrite the old one.

Share this post


Link to post
Share on other sites
[u]If not then it must be from an old log in, so destroy that one[/u].

>>>That is what I want to do. I am just looking  for a function that will destroy the old one.
I tried wrting my own to actually delte the session file form the dir where is stored.

But it's giving me this error: [b][function.unlink]: Permission denied.[/b]

I am using unlink to delete file.

System summary:

Windows server 2003
IIS 6
PHP 5+ (don't exactly remember)

I have given full permission fo the IUSER for the directory where I store the session file.

Share this post


Link to post
Share on other sites
unlink is for deleting files

if(current ses_id != ses_id_in_db){
session_destroy();
}

Share this post


Link to post
Share on other sites
Isn't this going to destroy the current session? I want to continue with the current session. I want to destroy session associated with sess_id_in_db in your example. How can I call the session_destroy() from the scopre of the current session (associated with current_sess_d) to destroy another session (sess_id_in_db)?

That is why I wanted to use unlink to delete the session file with sess_id_in_db while log in.

Share this post


Link to post
Share on other sites
Let's summarise this to make sure I understand this:
* User logs in on machine 1
* Later they forget to close the browser, go home and log into machine 2
* Someone goes to machine 1 and starts using the browser with the account logged in
* Site picks up on two users logged in and needs to boot one out (preferably machine 1)

If I'm correct I've done this before myself and I used 3 fields in the users table:
* "seshid", VARCHAR
* "kick" TINYINT(1)
* "curip" VARCHAR(15) (to store the user's IP)

Basically when someone logs in it checks the session ID with current and curip with current. If both are different it sets kick to 1 and logs the new session ID and IP. Other scripts check seshid with current and curip with current. If both are different then the session ID is destroyed and redirects to the login page. If both match then it much be the recent user so kick is set to 0 and it carries on as normal. Once a machine is kicked and kick is set to 0 the recent user can carry on as normal without worry of being kicked as the other machine won't be able to log in because they won't know the password.

Thats similar to how I've done it but I can't remember exactly how as I've not got access to the code to check at the moment but its as accurate as I can get it (spent *ages* typing this to make sure I got it right lol)

Share this post


Link to post
Share on other sites
Yes you got it right! :) Yes, that will work. I need to check kick from the DB before every page to load, can be integrated to login check file. I wos wondering if I can just destroy session associated with the previous login while logging in the next time form a different machine. Apprently can't do that with session_destroy() as I can't call it to destroy different session.

Share this post


Link to post
Share on other sites
No idea but I guess its a new function in the testing stage as I can't seem to find any documentation on it - sounds a bit like "multiple session" to me but as I said, only guessing!

Share this post


Link to post
Share on other sites
Thank you for your help. I can't seem to find any documentation either. All I could find is that it takes an argument. If I could destroy a session by ID, not just the current session.... something like [b]session_destroy(session_id)[/b], it would make my job easier. That is why I was interested at msession_destroy(string arg). I was hoping it would do what I wanted to do.

Share this post


Link to post
Share on other sites
It may do something similar in the future, will have to wait for the documentation to be added.

Share this post


Link to post
Share on other sites
Meantime, if I use msession_destroy(), it gives fata error as undefined function. I use PHP 5.1.4. It's supposed to be working for php 4.4 and 5. Do I need to use a different .dll file for this? or change some settings on .ini file?

Share this post


Link to post
Share on other sites
I've no idea to be honest and I wouldn't really advise using a function where there is no documentation as you've no idea what else its affecting. Best stick to documented functions that way you know exactly what is beign affected.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.