Jump to content

A twister - Unable to prevent a second login by the same member.


ajoo

Recommended Posts

If i am logged in on Tab A and then on Tab B of the same browser, then the above message is shown on Tab B, the current session Tab and not on Tab A session. So the hurdle occurs here.  If a way could be achieved to communicate with Tab A from Tab B the problem would have been solved. Both sessions become the same on refresh.

As previously discussed,

Session regenerate id won't solve the two tabs issue because a session is assigned to your browser not to each tab in the browser.

a session is assigned to a browser, not a tab.

 

However, if you enforce going in some order then it makes what tab they are in mostly irrelevant. I turned my pseudo code above into sloppy code below. You need to sanitize data, think through page order, clean up old next step data (or put it in the sessions table which already has a cleanup or put it in the user table that I assume you have though my example does not), catch and deal with errors, etc.

 

For my example, I made pages go in numerical order (0,1,2,3,4,5,6...) I opened a tab, logged in (log in page is zero) went to page 3. I then opened a new tab logged in. The php forces me to page 4. I went on to page 6 then switched back to the first tab and hit "go to next step" That gives me the message that I'm trying to go in the wrong order (effectively preventing me from using two tabs at once).

Here is the code:

testlogin .php

<?php
session_start();
$link = mysqli_connect("localhost", '***, '*****', 'testdb') or die("Unable to connect!");
if ($_POST['username']!=''){// this is someone logging in
    //in the real world we'd check for a valid password here
    $query="UPDATE sessions SET status='X' WHERE username='".$_POST['username']."'";//make all other sessions for this user die
    $result=mysqli_query($link, $query);
    $username=$_POST['username'];
    
    //get the next valid step here.
    $query =" SELECT step_id from last_step_completed where username='$username'";
    $result=mysqli_query($link, $query);
    if (mysqli_num_rows($result)>0){
        $lstep= mysqli_fetch_assoc($result);
        $next_step=$lstep['step_id']+1;
    }else{
        // start at step 0
        $next_step=1;// normally we'd look up all the valid steps from the database, 
        //here we just say they need to be in numerical order
        $query="INSERT INTO last_step_completed (`username`,`step_id`) VALUES ('$username','0')";
        // insert that we completed step 0 into database
        $result=mysqli_query($link, $query);
    }
    
    // add a record to the database
    $query="INSERT INTO sessions VALUES ('', '$username','A')";
    $result=mysqli_query($link, $query);
    $_SESSION['id']=mysqli_insert_id($link);
    $_SESSION['username']=$_POST['username'];// Now this session is logged in
    echo 'login success';
    echo '<br /><a href="testregularpage.php?step='.$next_step.'">Go to Next Step</a>';
    die();
}
?>
<!--
To change this template, choose Tools | Templates
and open the template in the editor.
-->
<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <title></title>
    </head>
    <body>
        <form method="POST" action="testlogin.php">
            <input type="text" name="username" value="david">
            <input type="submit">
        </form>
        <?php
        
        ?>
    </body>
</html>

testregularpage.php

<?php
session_start();
$link = mysqli_connect("localhost", '******', 'obscuredForNoGood Reason', 'testdb') or die("Unable to connect!");
if ($_SESSION['username']!=''){
    $username=$_SESSION['username'];
    $query="SELECT status FROM sessions WHERE id='".$_SESSION['id']."'";
    $result=  mysqli_query($link, $query);
    $sessions=  mysqli_fetch_assoc($result);
    if ($sessions['status']=='X'){
        echo 'you were booted';
        die('too bad');
    }
    
}else{
    die ('you need to login');
}
//logged in and active 
//check if this is the right step
$step=$_GET['step'];//normally the step would be hard coded here based on what the page does 
//but I don't want to code multiple pages for the example, so I'm passing the value in
   $query =" SELECT step_id from last_step_completed where username='$username'";
    $result=mysqli_query($link, $query);
    if (mysqli_num_rows($result)>0){
        $lstep= mysqli_fetch_assoc($result);
        $next_step=$lstep['step_id']+1;// normally this would be gotten from a database
    }else{
        echo 'error: We lost track of what step you\'r on.';die();
    }

if ($step!=$next_step){ // check to make sure we are on the right step
    echo "You are trying to do steps out of order. Sorry "; die();
}else
    echo '<h1>This is step'.$step."</h1>";
$query="UPDATE last_step_completed SET step_id='$step' WHERE username='$username'";
$result=  mysqli_query($link, $query);

?>
<h1>YOu are logged in</h1>
<p>Go to step <a href="testregularpage.php?step=<?php echo($step+1);?>"><?php echo($step+1);?></a></p>

Link to comment
Share on other sites

  • Replies 50
  • Created
  • Last Reply

Top Posters In This Topic

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.