davidannis Posted April 28, 2013 Share Posted April 28, 2013 If i am logged in on Tab A and then on Tab B of the same browser, then the above message is shown on Tab B, the current session Tab and not on Tab A session. So the hurdle occurs here. If a way could be achieved to communicate with Tab A from Tab B the problem would have been solved. Both sessions become the same on refresh. As previously discussed, Session regenerate id won't solve the two tabs issue because a session is assigned to your browser not to each tab in the browser. a session is assigned to a browser, not a tab. However, if you enforce going in some order then it makes what tab they are in mostly irrelevant. I turned my pseudo code above into sloppy code below. You need to sanitize data, think through page order, clean up old next step data (or put it in the sessions table which already has a cleanup or put it in the user table that I assume you have though my example does not), catch and deal with errors, etc. For my example, I made pages go in numerical order (0,1,2,3,4,5,6...) I opened a tab, logged in (log in page is zero) went to page 3. I then opened a new tab logged in. The php forces me to page 4. I went on to page 6 then switched back to the first tab and hit "go to next step" That gives me the message that I'm trying to go in the wrong order (effectively preventing me from using two tabs at once). Here is the code: testlogin .php <?php session_start(); $link = mysqli_connect("localhost", '***, '*****', 'testdb') or die("Unable to connect!"); if ($_POST['username']!=''){// this is someone logging in //in the real world we'd check for a valid password here $query="UPDATE sessions SET status='X' WHERE username='".$_POST['username']."'";//make all other sessions for this user die $result=mysqli_query($link, $query); $username=$_POST['username']; //get the next valid step here. $query =" SELECT step_id from last_step_completed where username='$username'"; $result=mysqli_query($link, $query); if (mysqli_num_rows($result)>0){ $lstep= mysqli_fetch_assoc($result); $next_step=$lstep['step_id']+1; }else{ // start at step 0 $next_step=1;// normally we'd look up all the valid steps from the database, //here we just say they need to be in numerical order $query="INSERT INTO last_step_completed (`username`,`step_id`) VALUES ('$username','0')"; // insert that we completed step 0 into database $result=mysqli_query($link, $query); } // add a record to the database $query="INSERT INTO sessions VALUES ('', '$username','A')"; $result=mysqli_query($link, $query); $_SESSION['id']=mysqli_insert_id($link); $_SESSION['username']=$_POST['username'];// Now this session is logged in echo 'login success'; echo '<br /><a href="testregularpage.php?step='.$next_step.'">Go to Next Step</a>'; die(); } ?> <!-- To change this template, choose Tools | Templates and open the template in the editor. --> <!DOCTYPE html> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title></title> </head> <body> <form method="POST" action="testlogin.php"> <input type="text" name="username" value="david"> <input type="submit"> </form> <?php ?> </body> </html> testregularpage.php <?php session_start(); $link = mysqli_connect("localhost", '******', 'obscuredForNoGood Reason', 'testdb') or die("Unable to connect!"); if ($_SESSION['username']!=''){ $username=$_SESSION['username']; $query="SELECT status FROM sessions WHERE id='".$_SESSION['id']."'"; $result= mysqli_query($link, $query); $sessions= mysqli_fetch_assoc($result); if ($sessions['status']=='X'){ echo 'you were booted'; die('too bad'); } }else{ die ('you need to login'); } //logged in and active //check if this is the right step $step=$_GET['step'];//normally the step would be hard coded here based on what the page does //but I don't want to code multiple pages for the example, so I'm passing the value in $query =" SELECT step_id from last_step_completed where username='$username'"; $result=mysqli_query($link, $query); if (mysqli_num_rows($result)>0){ $lstep= mysqli_fetch_assoc($result); $next_step=$lstep['step_id']+1;// normally this would be gotten from a database }else{ echo 'error: We lost track of what step you\'r on.';die(); } if ($step!=$next_step){ // check to make sure we are on the right step echo "You are trying to do steps out of order. Sorry "; die(); }else echo '<h1>This is step'.$step."</h1>"; $query="UPDATE last_step_completed SET step_id='$step' WHERE username='$username'"; $result= mysqli_query($link, $query); ?> <h1>YOu are logged in</h1> <p>Go to step <a href="testregularpage.php?step=<?php echo($step+1);?>"><?php echo($step+1);?></a></p> Quote Link to comment https://forums.phpfreaks.com/topic/276820-a-twister-unable-to-prevent-a-second-login-by-the-same-member/page/3/#findComment-1427024 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.