A twister - Unable to prevent a second login by the same member.

[ajoo]

Hi david, I am back and i must say i am surprised with the result of the meta statements that I added to the code. Basically a manual refresh would have done the same thing. However, the results in both cases , manual refresh or meta statements is the same and as expected it does NOT logout the user's previous sessions BUT instead changes the session id of the previous sessions to the current one ( active one wid status 'A' ) in the database. Thus the eviction still does not occour. 

The surprising thing is that the session id which is supposed to be unique to a session changes to the same in all the previous sessions. I did check that session id's are different when the user logs in and change to become the same only after the Meta statements refresh the page.

 

I have gone thru the code but fail to understand why the session_id changes to the one in the currently active browser page. Please help. Thanks. 

[davidannis]

Either I am not understanding what you want to do, you've changed something, or you are testing incorrectly.

 

I took the code as posted:

In firefox:

I load testregular and get the message that I need to log in.

I load testlogin and subimt and get a sucessful log in message

I reload testregular and get "You are logged in"

 

I open chrome. In chrome:

testregular says I am not logged in

testlogin works and logs me in

Now in firefox a reload produces "you were bootedtoo bad"

 

Are you using two different browser (not just different windows or different tabs)?

[ajoo]

Hi david, good morning. I am using google chrome alone and i am using two different tabs to login. I did change the code just a bit. I used unset to unset the id before i destroyed the session. Thats about the only change i made. Yes i am testing only in chrome by using two tabs. Does that have anything to so with this? If you want to I can paste the two files for you to have a look. 

 

Thanks.

[ajoo]

Hi david, 

 

Ok After I wrote my reply and then read yours again , I tried the code on two different browsers on the same machine and wow ! it worked. Just like u said. I tried it on chrome and explorer. So please tell me why does it not work on the two different tabs of the same browser? What would I need do to to make it work on the tabs of the same browser. 

 

Thanks loads.

[davidannis]

The reason that it does not work in two tabs in a single browser is that the session mechanism will not assign two different sessions to the same browser simultaneously. You can start a new session, but if you are in the same browser that browser loses the old session when the new session starts. When you start the new session in a different tab, since the session is assigned to the browser the old tab gets the new session ID too and it gets logged in.

Edited April 23, 2013 by davidannis

[davidannis]

What would I need do to to make it work on the tabs of the same browser.

It would be incredibly difficult to get it to work on two tabs in the same browser. However, I can't see many reasons that you would want to disallow someone from having two tabs logged into your website simultaneously. Why would it hurt to allow someone to have multiple tabs logged in?

[ajoo]

Hi david. the reason i wud not want someone to be logged into a website on two or 'n' tabs simultaneously would be to prevent them to use a service which is otherwise intended for only one user. So while some one opens 'n' tabs and may allow n people to use that service and then logout after all have used it. For eg I may have a website that offers objective type tests, intended for one person but which may be misused like this by many persons. Maybe not letting a logged in user login again is a better option after all. Anyways this was a great exercise and I learnt a lot. Still if you find some method of dealing with the tabs I would be happy to hear about that. 

 

Thanks loads !

[seandisanti]

All you have to do is in your header section have it check for active session, if there's not one, go to the logged out/invalid session page instead of loading the page that they wanted.  Have to keep in mind not all of your old sessions are still going be because of concurrent logins, so there will not always be an active browser to redirect.  There will be on ever page load though, so just have it validate the session before displaying the page, which you're probably already doing in one way or another if a login is required.

[ajoo]

Hi seandisanti, 

could you please rephrase what you just said because I am not sure I could make out what you intended to say. I have read the reply a number of times and could only partly understand it. Please do rephrase with an example if possible.

 

How can i check for active sessions in the header? 

 

Thanks.

[davidannis]

If a user has n tabs open, the n people using them would have to take turns with the mouse and keyboard. It is no different than the user logging in, taking a test, and then letting somebody else sit down and take it too. One browser can only be used by one user at a time. I think that allowing only a single active browser is going to be good enough to deter that kind of cheating.

[davidannis]

All you have to do is in your header section have it check for active session, if there's not one, go to the logged out/invalid session page instead of loading the page that they wanted.  Have to keep in mind not all of your old sessions are still going be because of concurrent logins, so there will not always be an active browser to redirect.  There will be on ever page load though, so just have it validate the session before displaying the page, which you're probably already doing in one way or another if a login is required.

I think that is what he is doing now, but he also wants to not allow multiple tabs in a single browser (which would share a single session id) to be logged in. Not allowing the use of multiple tabs but allowing the most recently logged in tab to remain active is achievable but much more difficult.

[ajoo]

This is especially required for an application that proceeds uni-linearly from the beginning to the end, like the example I quoted of a test. Say if the objective type test was to proceed from the beginning to the end with no way to go backwards, then the 'n' open tabs would be a must for subsequent users to also be able to complete the test once each. If the result of the test is not important, but just to go thru it once, then those 'n' open tabs would allow the users go thru the test and thats what i would like to prevent. I hope I said that correct and would be fathomable. (In fact i am actually working on one such uni lateral test that proceeds one way.)

 

Thanks to you all. More discussion is most welcome!    

[davidannis]

The way to deal with not allowing people to go back is different from requiring only a single login. You can go backward in a single tab. To keep a user from going backward you need to record the last page submitted, check that against some set of rules about what order pages must be submitted in and deal with it appropriately.

[ajoo]

Hi david, Firstly Thanks so much on this issue.

 

I have an application that runs an embedded flash movie which runs from start to end. In that embedded movie, there is no way to get back,. However if the user is logged in in more than one tabs / browsers / windows  then they can run thru the movie in each of those tabs. So its important that the application is running in only one tabs / browsers / windows. Otherwise there are chances of the application being misused.

 

In case you find something on preventing multiple logins in the same browser tabs then i'll be happy to know it. 

 

Thanks again for your help.

[davidannis]

If you are counting on someone not being able to watch the movie multiple times, prohibiting multiple tabs won't solve the problem. They can just save the video or they can reload in the current tab or pause and back up the video.

 

A fix to that problem is beyond me. Can anyone else help?

Edited April 24, 2013 by davidannis

[seandisanti]

My last reply was based on the assumption that you were deleting existing sessions for the user upon login. So if i had a session that had gone idle on my ipad for example, then i logged in from my computer, the ipad's session would be deleted from the server. Then if i went to another page from the ipad later in the day, it would see that the session no longer existed and require login. I didn't realize you were trying to prevent multiple pages displaying in diff tabs.  Take a look at using session_regenerate_id on your page loads.  I believe you can do it using session_start(true), also.  It essentially creates a new session on each page load, invalidating the original session.

[davidannis]

So if i had a session that had gone idle on my ipad for example, then i logged in from my computer, the ipad's session would be deleted from the server. Then if i went to another page from the ipad later in the day, it would see that the session no longer existed and require login.

He wants the iPad to display a message explaining that the reason it is no longer logged in is that another session superseded it instead of just being logged out so he needs to leave the session on the server but mark it as inactive.

Take a look at using session_regenerate_id on your page loads.

That is a brilliant solution. It would also help enforce the unidirectional flow of the process. When he creates the new ID he can also save the next step on the server and validate against that. Then the only issues left are copy protecting the flash video and making sure it can not be paused and rewound.

[seandisanti]

He wants the iPad to display a message explaining that the reason it is no longer logged in is that another session superseded it instead of just being logged out so he needs to leave the session on the server but mark it as inactive.

Take a look at using session_regenerate_id on your page loads.

That is a brilliant solution. It would also help enforce the unidirectional flow of the process. When he creates the new ID he can also save the next step on the server and validate against that. Then the only issues left are copy protecting the flash video and making sure it can not be paused and rewound.

Upon deletion of the original session, have a table of superceded sessions, and add the session_id into it.  Then on page loads, check session_id from cookie against superceded sessions, and display error instead of page, and delete the record from the superceded table. You also probably want to have a cron job to truncate the superceded sessions table daily or every other day to avoid the table growing too much. Just because the message is really only going to even be relevant to the viewer for a day or so anyway. 

 

***edit***

forgot about the other part, controlling the users abilities to interact with a flash video is definitely more of a flash question than a php question.  One tip though, make sure that your .htaccess does a deny from all on your flash directory so that only your scripts can pull the files as needed.  It doesn't stop someone from capturing the stream, but it will cut down on people downloading the files directly. 

Edited April 25, 2013 by seandisanti

[davidannis]

Upon deletion of the original session, have a table of superceded sessions, and add the session_id into it.  Then on page loads, check session_id from cookie against superceded sessions, and display error instead of page, and delete the record from the superceded table. You also probably want to have a cron job to truncate the superceded sessions table daily or every other day to avoid the table growing too much. Just because the message is really only going to even be relevant to the viewer for a day or so anyway.

That is pretty much what we've done. I didn't write the cron job for the OP but I told him to put a timestamp in the sessions table and to clean out the file based on that timestamp.

[seandisanti]

Good deal.  I'm sorry I didn't keep up with the entire thread, I missed some developments and only read the most recent posts.  It sounds like you've got it well under control.

[ajoo]

 Hi guys, I have been going nuts over this trying to crack the login issue on two tabs of the same browser, getting the 2nd login to kick the user out  

of the 1st session. I have tried the database thingy, where i used the timestamp. Today I have also gone thru the new mails and discussions by the two active members here as well and tried to implement the session_regenerate_id(true) to invalidate the previous session but to no avail.

 

The problem is that I am unable to find a suitable replacement of this following bit of code in regular.php

 

if ($sessions['status']=='X')

{
echo 'you were booted';
die('too bad');
}

 

The hurdle is ( even with session_regenerate_id(true)) that the sessions ID of the previous session (say A) also reverts  to become the same current session ID (say B)in the new login tab. What i mean is that after a refresh because of the Metatabs, session ID of Tab A = session ID of Tab B. This goes for all $_SESSION variables.  Since a code executing is same in both the browsers there is no way that i can think of to check for a unique session in each Tab because the session values have all changed to become the same in both the sessions , equal to those of session in Tab B. 

 

I wish I cud put in some screen shots here of the database as well as the tabs but I am unable to add an image to this reply. The database works correct and I have  also incorporated a clean up. Each login first checks to see if a previous session is active, removes the entry, unsets the session and then tries to login into a new session but ofcourse and alas it fails there. 

 

Please explain if i am missing something and kindly elaborate the use of session_regenerate_Id in this context. Why is session_regenerate_id(true) not destroying the previous session like its says so on many forums on the net. Awaiting your response,

 

Thanks Loads, 

 

[davidannis]

Session regenerate id won't solve the two tabs issue because a session is assigned to your browser not to each tab in the browser. I think that the best way to prevent out of order page loads is to define valid sequences and track user progress. Here's some pseudo-code:

session_start()
//check_login_status
if (not logged in) {
echo 'you need to log in';
}
elseif (user has logged in elsewhere){
echo 'you've been booted message';
}
//up to here it is pretty much just regular.php
else{ // but now we add something to check that they are going in the right order
select last_step_accomplished from user_status;
select from valid_next_steps where step=last_step_accomplished
if (this_step not one of the valid_next_steps){
echo 'sorry you can't do X except right after Y or Z';
die();
}
update last_step_accomplished=this_step;

You have to think through the rules about what order the user can go in carefully and deal with restarting the process from the beginning if that's allowed.

[ajoo]

He wants the iPad to display a message explaining that the reason it is no longer logged in is that another session superseded it instead of just being logged out so he needs to leave the session on the server but mark it as inactive.

Take a look at using session_regenerate_id on your page loads.

That is a brilliant solution. It would also help enforce the unidirectional flow of the process. When he creates the new ID he can also save the next step on the server and validate against that. Then the only issues left are copy protecting the flash video and making sure it can not be paused and rewound.

When I read your reply above to the I thought that maybe it gave you some clue to dealing with logins on multiple tabs. Thats what i thought I could make out from your reply. I too have this feeling that using session_regenerate_id can somehow help in solving this issue. Can Ajax be used to solve this out ?

 

Another sequence I had in mind was that if on the login page, 1. Check to see if there exists an open session.  If no match found then the user has no previous session goto regular.php. 3. If a match is found then an existing session is open so goto page eject_existing_session.php where session is unset & destroyed & a metatag  refreshes the page after say 2 seconds and then goes back to the login page to continue with the login. The problem is that in this case when it comes back to the login page it waits again for the user input to login. I also thought that though it can be worked out it was not very elegant. Still looking for more inputs on this. Thanks. 

[ajoo]

Session regenerate id won't solve the two tabs issue because a session is assigned to your browser not to each tab in the browser. I think that the best way to prevent out of order page loads is to define valid sequences and track user progress. Here's some pseudo-code:

session_start()
//check_login_status
if (not logged in) {
echo 'you need to log in';
}
elseif (user has logged in elsewhere){
echo 'you've been booted message';
}
//up to here it is pretty much just regular.php
else{ // but now we add something to check that they are going in the right order
select last_step_accomplished from user_status;
select from valid_next_steps where step=last_step_accomplished
if (this_step not one of the valid_next_steps){
echo 'sorry you can't do X except right after Y or Z';
die();
}
update last_step_accomplished=this_step;

You have to think through the rules about what order the user can go in carefully and deal with restarting the process from the beginning if that's allowed.

 

elseif (user has logged in elsewhere){

echo 'you've been booted message';

echo 'you've been booted message';

}

//up to here it is pretty much just regular.php                  // ALREADY PROBLEMETIC.

 

If i am logged in on Tab A and then on Tab B of the same browser, then the above message is shown on Tab B, the current session Tab and not on Tab A session. So the hurdle occurs here.  If a way could be achieved to communicate with Tab A from Tab B the problem would have been solved. Both sessions become the same on refresh. 

 

It also occurred to me that would it not help to set the session_start in login.php ONLY AFTER first searching for the active sessions? In that case there would be only one session active, the old one, which should be ejected and destroyed before we INSERT the new session wid status 'A' and set that session. I dare say I tried that but could not get it to work. I have actually tried so many things during the day. I spent a whole Sunday on this. lol ! Maybe this can trigger some ideas for you. I am relatively new to php and sessions and the info on sessions is so varied and obfuscated on the net. I am very confused. Maybe a fresh start on a fresh day would do the trick. Still I seek your help and direction,

 

Thanks loads. 

[davidannis]

I'm coding an example. back shortly.