making sure only person person logged in

[Liquid Fire]

Hey, I am building a project management system and using php as the first front-end into the mysql database where all the information is going to be stored.  With the login system I was to make sure the only 1 person can be logged into the system at once with one login information(like if someone is logged in as demo, no one else can).  The main reason for this is that if someone does hack the password of a user and I allowed people to login in as a user that is aleady logged in, we would never know about it.  My first idea was to have a field in the user table of the database to store it, something called "logged" and when a user logs in set it to 1 and when they log out set it to 0 and then run a check on the status when checking user on each page.  The problem with this method is that I use session and don't store the information on the user computer with cookies so when they leave the the page they automatically get logged out which put the problem that if they do not use the logout function of the system the logged field will stay 1 even tho they left the page.  Can anyone thing of a better way of doing this?

[trq]

You need to store a logged_in flag, along with a timestamp. This timestamp needs to be updated on each request. This keeps track of logged in users.

 

You then simply need to run a cron every 5 minutes or so that checks for timestamps that are too old. You can assume these users are logged out, thus changing the flag.

[Liquid Fire]

Only issue with that is this is a project management system developed towards programming projects.  I mean someone will log in and then take a look at his issues he needs to do.  Once he find a issue he needs to do he is going to do it and chances are it is going to take more than 5-10 mins, generally shortest time i would imagine is 20-30 mins but some may take hours so have a cron that auto logs someone out would be a much bigger issues.

 

After thing for awhile, i think the best and only way to do this is to have to store the information of the users computer in cookies.  What if they need to log in at home to access something but they forgot to logout the proper way, now they can't log back until untill they log out from there computer at wherever or some set the logged field to zero.  I guess for the time being i will have to used cookie until i can think of a better solution.  How would I go about set a cookie that would basically never expire until they log out?

[ToonMariner]

if you combine that with a session you can keep them logged in. unless you have altered teh php.ini setting the session lifetime should be while teh browser is open. So as long as either a session exists or the timestamp is more than now - 5mins then you will be fine.

[Liquid Fire]

of course that also has it disadvantages.  I work on a issue and the system set my logged to 0 because of no response but my session is still active so when i refresh the page or something it will set my logged status back to 1 because i have a active session however while i was working on my task and the system logged out, some could have logged in as me which would then lock me out of the system.  This would basically make the logged field pointless.  The only way i think this works it to make sure the users use the log function.