CodeIgniter Forums
Do not regenerate session_id - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived General Discussion (https://forum.codeigniter.com/forumdisplay.php?fid=21)
+--- Thread: Do not regenerate session_id (/showthread.php?tid=34061)

Pages: 1 2


Do not regenerate session_id - El Forum - 09-17-2010

[eluser]Agustín Villalba[/eluser]
Hello!
I'm developing an application which needs to check if a user has been logged in from 2 diferent navigators/computers and avoid it. For that, I need to check the session_id of the user, but CI changes the session_id every 5 minutes, so I don't know if the user has 2 sessions in the application or it's only the regenerated session_id of CI.
How can I make this? If I have to prevent the regeneration of session_id in CI, how can I avoid that?
Thank you very much.


Do not regenerate session_id - El Forum - 09-17-2010

[eluser]WanWizard[/eluser]
The session_id is an internal key, and should not be used for this purpose. Regeneration is key in preventing session hijacking, and should NOT be disabled.

If you need this functionality, either store the ID you want to check in the userdata in such a way that you can query it reliably via a regex, or add an extra field to the session table that you can query.
I use the same technique to list who is currently logged in, and when they last had an interaction with the application (for which I also added a last_update field).


Do not regenerate session_id - El Forum - 09-17-2010

[eluser]dunicorn[/eluser]
what I do is to have a field in my database called "session_active". If the field is 1 ... then logging in is not allowed ... else allowed .. so you cannot login from different computers at the same time ...


Do not regenerate session_id - El Forum - 09-17-2010

[eluser]WanWizard[/eluser]
How do you toggle this field? I can assume that you set it to 1 when a user logs in, but when will it be reset to 0?


Do not regenerate session_id - El Forum - 09-17-2010

[eluser]dunicorn[/eluser]
when you log out ....


Do not regenerate session_id - El Forum - 09-17-2010

[eluser]Agustín Villalba[/eluser]
Yes! WanWizard is right! How do you reset that field to 0 if, for example, the user closes the browser??


Do not regenerate session_id - El Forum - 09-17-2010

[eluser]dunicorn[/eluser]
"MySession" Model takes care of it such that after some minutes of inactivity .... resets the field and logs you out.


Do not regenerate session_id - El Forum - 09-17-2010

[eluser]Agustín Villalba[/eluser]
dunicorn, could you explain me what is MySession model? or where can I have information about it? Thank you very much!


Do not regenerate session_id - El Forum - 09-17-2010

[eluser]dunicorn[/eluser]
MySession Model is my on self-made model that does my session management for me without stress .... i will place it on my blog soon. check it out later.


Do not regenerate session_id - El Forum - 09-17-2010

[eluser]gyo[/eluser]
IMO it's not hyper complicated: you should have the "session_active" and the "last_update" fields.
If the "session_active" is "1" and the "last_update" is older than the maximum allowed, then the "session_active" it's reset to "0".

It's more or less the same concept as the "who's online" feature.