Do not regenerate session_id

#11
[eluser]Agustín Villalba[/eluser]
Ok gyo. But my question is the following: how do you reset the field "session_active" to 0 if the user just closes the browser (without click on "log out" or "close session" or something like that)?? Because if that is the situation, and the user tries to re-enter in the system before the maximum inactivity time has expired, the system "thinks" that the user is still in session, so he will not be able to log in, because the field "session_active" wasn't reseted to 0.
That's what I understand but if you have a solution for that I will appreciate it a lot!!
Thank you very much!

#12
[eluser]gyo[/eluser]
Ok, maybe this is better...

Every time a user logs in you add a record in the "active_sessions" table (session_id, user_id, last_update), but first delete all the other records with the same user_id.

To keep an active user, you check if the "active_sessions" has a record with the current user's session_id.

If there was another user logged in, he will be logged out, since on the next page load the session will not be found in the "active_sessions" table anymore.

Think of it like: the new enters, the old is kicked.

Hope this helps! Smile

#13
[eluser]Agustín Villalba[/eluser]
Hey gyo! That solution is a great solution... but that's not exactly good for my problem, beacuse I need that when a user enters in my application, his username and pass have to be locked. So, if another person tries to log-in with that username and password, the system must say "Hey, there's another guy in the system with this username right now".
So, your solution is great, but I can't allow that a user ejects another user logged-in right now. I need to lock a username if someone logs-in with it and don't allow another person use it to enter in the system.
Anyway, thanks a lot every one who has tried to find a solution to this problem in this topic. Thanks to every one!

#14
[eluser]gyo[/eluser]
Alright, if you don't want the logged-in user to be ejected, just do this:

Every time a user logs in, you check if there's another record with the same user_id.
If a record is there, and it's not expired, it means that another user is currently logged in, and the request is denied.

The story gets complicated because you want that if the logged in user closes the browser, the user account becomes available again.
You don't know when the user closed the browser, thus you can't free the account in that case.

So basically the new user should wait for the old to expire, before he can access the system.

Actually there are ways to "detect" the browser close, like JavaScript or the PHP connection_aborted(), but they will never give accurate results to rely on.

#15
[eluser]Agustín Villalba[/eluser]
Ok gyo! thank you very much! That was my conclusion, but I wanted to ask people with more experience than me. I was thinking of this problem during many days, and for my problem exactly there's no solution (yet). So, our final decision was if we can't do it just as we need, it's better to do nothing.
Thank you very much gyo!!


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.