poizn Posted November 5, 2007 Share Posted November 5, 2007 Hi all Sorry if some of you have already seen this, but no one could help me on Friday, so im posting my question again, hoping that some fresh eyes will see it and help me out... I am creating a site that has a session based log in. Pretty simple stuff, but the bosses have asked if we can make it so that only 1 person can log into an account at once (ie if someone logs in with a specific acocunt, lock the account and dont let any one else log in) I'v been fiddleing around with session, and various session variables etc. and the only part that I cant figure, is if the user logs in, and closes the browser window, how do I know that the user has logged out. Does anyone have any suggestion, clues or help for me? If you would like a more detailed description of how im handleing my sesssions etc. please just ask. Thanks Quote Link to comment Share on other sites More sharing options...
btherl Posted November 5, 2007 Share Posted November 5, 2007 A simpler way is to have the second login overwrite the first. That is, the first session is disabled if the user logs in again from a second location. The difficult with the "locking out" policy is exactly as you mentioned, detecting a closed browser. If your boss insists on locking out second logins, then you might consider a timeout after which a user is considered to be logged out. That may lead to unfortunate situations though where a user is locked out until their own previous session times out. Quote Link to comment Share on other sites More sharing options...
redarrow Posted November 5, 2007 Share Posted November 5, 2007 dont no but what about if the user that logs in is the user that locks the other users from loging in add another field called locked then update the database with a 1 then tell the login select if 1 is present then dont let anyone elese login...... dont no it a thort.......... Quote Link to comment Share on other sites More sharing options...
bache Posted November 5, 2007 Share Posted November 5, 2007 You can add a new column in the database, name it `activity` for example. At the top of every page add a code which updates that column with the current timestamp. In that way every time the user does something, the column will be updated. When someone wants to log in with the same username, you check the `activity` column and if it doesn't have any activity for example for 15 minutes, you let the second user to enter. You can do something similar with the sessions, keep the time of activity in a session variable and check if it had an activity in the last 15 minutes and destroy it. I don't understand why you need to have several users log in with one account and don't let the others to log in, I don't thing this is correct. Quote Link to comment Share on other sites More sharing options...
redarrow Posted November 5, 2007 Share Posted November 5, 2007 i just re read the post and the boss is going mad lol This is silly just add users that are allowd to do specific jobs on the website and give them the correct permission to there job.... example 1 = admin 2= html designer 3= mail blaster 4= user also use bache timestamp idear on all users...... Quote Link to comment Share on other sites More sharing options...
poizn Posted November 5, 2007 Author Share Posted November 5, 2007 The reason that its handy to not allow more than one person to log on to an account, is so that two users dont edit the same data at the same time, or enter the same data at the same time. Some parts of our site allow users to enter rates and various other things like that, so to make sure two employes dont enter the same rates to their pages (have any of you ever worked with people before, especially in a big company, ever had the situation where people dont listen and duplicate work etc...), we trying to only allow one perons to log on at once. Its not as crazy as people think, iv seen other sites that do similar things... The best solution that I can come up with is, when a user logs on, store the 1) session id - session_id() 2) the current time - time() 3) clients remote id - $_SERVER["REMOTE_ADDR"] 4) clients computer name - $_ENV["COMPUTERNAME"] This way if another user logs in, ill know that they not the orignal user and be able to give them a message that the other user is logged in etc., by using the session id and time (simple) But if a user closes their brower window, and tries to log on again, ill be able to check and see if its the same computer, and warn the user that the other session will be destroyed This still doens solve the problem of somebody closing their browser and then other people wont be able to log in (until the time expires) So maybe a higher user could then log that person out I hope that made sense, and I hope it helps someone out Cheers Quote Link to comment Share on other sites More sharing options...
redarrow Posted November 5, 2007 Share Posted November 5, 2007 that dosent solve anythink if all users are on a lan within the same office all there deatail will be the same..... Quote Link to comment Share on other sites More sharing options...
redarrow Posted November 5, 2007 Share Posted November 5, 2007 the only way to solve your problam if there going to be one logon account and all users get the username and password is to set a timestamp and a activity database field to tell the current login user that theres someone using the website as a admin sorry that it..... you no as a programmer that a account needs to belong to the person that owns that account or have mutipole accounts doing diffrent things i beleve the boss is driving you mad in this request you need to exsplain to the boss you give him the account name and password if he choose to give these detaills to his enployee then it upto him but not recomended....... if the boss let over users have a account there no way that there account should be able to re edit anythink that the main boss has set or configured that why we all go and use multipole accounts to let others only change whats needed to be changed and dosent affect the main boss configurations...... Quote Link to comment Share on other sites More sharing options...
redarrow Posted November 5, 2007 Share Posted November 5, 2007 having a boss that lets all users change all website deatails ends up as a money waster and could end up destroying the complete business sorry my point off view..... you might think that youve seen one account with meny user's using the same config on big named websites but be asured there diffently have not got the same rights or access as the rightfull owner......... they can change nearly everythink but not the highly set configurations that the owner has set........ trust me.......... bill gates dosent let tom or paul play with his money transactions but tom or paul can do anythink else...... Quote Link to comment Share on other sites More sharing options...
HAN! Posted November 5, 2007 Share Posted November 5, 2007 you all people here seems you know how to work with PHP sessions amd login pages, so i have this question, i have a login page and i want for the user after he login for a certain time which i sepecify to be logout automatically, i need to know how to timeout logout a logeed in user??? thanks for any help. Quote Link to comment Share on other sites More sharing options...
poizn Posted November 5, 2007 Author Share Posted November 5, 2007 To answer HAN question define("SESSION_TIMEOUT_MINS" , 5); $session_path = ini_get("session.save_path"); if(($pos = strpos($session_path , ";")) !== FALSE) $session_path = substr($session_path , $pos + 1); $session_path .= "/{your app name or what ever folder you want to put it in}"; if(!file_exists($session_path)) mkdir($session_path , 0774); ini_set("session.save_path" , $session_path); ini_set("session.gc_probability" , 100); ini_set("session.gc_maxlifetime" , (SESSION_TIMEOUT_MINS * 60)); // seconds ini_set("session.cookie_lifetime" , 0); ini_set("session.cache_limiter" , "nocache"); ini_set("session.cache_limiter" , "private"); ini_set("session.cache_expire" , SESSION_TIMEOUT_MINS); // minutes This should destroy the session after 5 minutes of inactivity Or every time there is some activity on one of your scripts (you could have some code to write the current time, in the same place as you session start), you could store the time and check it against the current time. Ie when the guy logs in get current time, and every time you open a page (and start the session) get the old stored time, check that it isnt more than 5 minutes ago (or how ever long your timeout is). If it isnt store the new time, but if it is, destroy the session. Thanks for your help redarrow, and thanks for your points of view. I agree with what you have to say, but I dont think you fully understand what our site does, what the login are for etc.. I agree with you point having a boss that lets all users change all website deatails ends up as a money waster and could end up destroying the complete business sorry my point off view..... But only in certain situations, our situation not being one of them. Let me explain the way our site works (maybe you will get a better feel for what im trying to do). Our site is similar to myspace, where a user / company can create a login and create their own mini page on our site. There's plenty more to the site than that, but I cant really give that info away. In the case of a company, one person may have some details while another may have some other details needed by our site, so giving more than one person in the client company, the user name and password may very well happen (we not going to do this, this will be managed by the client) (I hope this helps you understand) So the reason we want to stop two people from logging into the same account is to stop Dave from HR, who has to enter the address of the company. He see's that the phone number is not yet filled in (but Steve has been assigned to do this, and is trying to log in at the same time) and so tries to fill it in, while Steve is doing it at the same time. Like you said storing the slient IP wont solve my problem because many people on one lan will have the same IP, but they shouldnt have the same computer name. I think two pc's on a lan can have the same name, but its the closest thing i'v got to being unuique (and in most cases, most PC's on the same network have a different computer name) Quote Link to comment Share on other sites More sharing options...
btherl Posted November 6, 2007 Share Posted November 6, 2007 Aha, I understand now why you want to lock users out. Locking out users altogether seems primitive to me. This exact problem has been studied for decades in the database realm and in concurrent software development, and many other solutions have been devised. One approach (practiced by Mysql's default MyISAM table structure) is to have more fine grained locking. For example, if one person is editing company details, then no-one else will be allowed to edit company details until that person is finished. This allows multiple logins but prevents multiple updates of the same old data. You can make the locking even more fine grained if you want, by having a lock on only one particular data elemnt. For example, Dave can edit details for ABC Pty Ltd, while Steve edits DEF Pty Ltd. But if Steve tried to edit ABC Pty Ltd, he would be informed that it is already being edited. This will also have to be combined with timeouts and a "lock breaking" mechanism, but will result in much less inconvenience (and much more implementation effort). The other approaches, such as the conflict resolution method used in CVS and the MVCC model from Postgres are probably not appropriate. Finer grained locking feels like the right solution here. Quote Link to comment Share on other sites More sharing options...
poizn Posted November 6, 2007 Author Share Posted November 6, 2007 Awesome i'm glad you understand Thanks for your suggestions, ill keep them in mind. Probably not going to impliment that right now, but something I could do in the future. Thanks very much Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.