Session persistence problems

[eluser]fchristant[/eluser]
Another possibility is that your page load leads to immediate other page loads that pass by CI session management, for example in the case of Ajax calls that are handled by CI. In this case, the Ajax request will look for a session ID, but because the main request is not done generating one, it will create a new one.

There is a IS_AJAX fix for this on this forum, just search for that term.

[eluser]sherwoodforest[/eluser]
that sounds more like what I am doing, I am reading data from a file using flash data to keep track of where
the previous page left off, since the last page may only process one record and forwards to the next page.
Thank you

[eluser]sojic[/eluser]
Any hint how to handle multiply logins?

By default one user can log in in same time from more then 1 browser/computer. How to make if somebody log in from another browser/computer to logout the previous one?

[eluser]WanWizard[/eluser]
Very difficult to archieve, since you're working in a stateless environment.

Some have modified the session library to include a userid field in the session table. Others use a regex to check a session with specific information in the session's userdata.
But that still doesn't give you any clue to what the users actual state is. If you're session expiry is set to 2 hours, and I close the browser on my PC, walk to another PC, and try to logon, my previous session is still valid (and has me as logged in), but for me I'm not logged in anywhere. It's very confusing for users.

Unless you have a very specific reason to want this, why bother how many times someone is logged in?
You have to deal with concurrency anyway. I can also open a second window in my current browser, so I have access via two windows. Why should that be any different from me accessing the site via both FF and IE from the same PC at the same time?

[eluser]sojic[/eluser]
Security reasons. For "closed" systems, I do not want somebody to have access to my account.

[eluser]WanWizard[/eluser]
I don't see why your suggestion would solve that.

If I can access your account, it means I have your password. Which is a very bad thing in itself.

Then, when I login and you are logged in too, the system will kick you out, and I can still do my thing. If you're not logged in, you are none the wiser. So what did you accomplish?

[eluser]fchristant[/eluser]
@sojic. It seems you want an exclusive login lock system. If you're using server-side sessions, i.e. db sessions, it is possible by overruling the Session class of CI. As @WanWizard said, you will have to include a login id in the session table and check for it during session creation. If a session with the same login id from another ip exists in the table, you kill it and create another one. That should log out the older session of the same user on another device.

I would recommend against such a construction though. On the web this is a highly uncommon practice, against expectations of users. Plus, it requires tons of patches to the CI Session library. To make matters worse, all of this effort will make your application not one bit more secure.

[eluser]CharleyW[/eluser]
Obviously you guys are not auditors.

[eluser]WanWizard[/eluser]
As it so happens, I have certification in the auditor arena, and have as one of my projects the security of an access control management and IDM system for a central government.

Related to this subject, it is important to have an audit trail of which user did what, an audit trail of every action related to user and rights management, and proof that you have a secure login system.
It doesn't say anywhere that an account can't be logged in twice at any given moment.

My point is that if you fear mis-use of the account (which is @sojic' statement), you fail to prove that you have a secure login system. If this is absolutely paramount for your application, you need to use strong authentication, and a lot more security measures at the backend, so that for example it can be proven that file and database data is secure. Also, you need to protect your audit logs from tampering, so you need to write them to an other system, in a signed log. And I would like to have the application checked by a specialized company for security issues at the application layer. And a re-check whenever the code changes.

Proving that you're secure isn't easy, and isn't cheap.