Do not regenerate session_id

#1
[eluser]Agustín Villalba[/eluser]
Hello!
I'm developing an application which needs to check if a user has been logged in from 2 diferent navigators/computers and avoid it. For that, I need to check the session_id of the user, but CI changes the session_id every 5 minutes, so I don't know if the user has 2 sessions in the application or it's only the regenerated session_id of CI.
How can I make this? If I have to prevent the regeneration of session_id in CI, how can I avoid that?
Thank you very much.

#2
[eluser]WanWizard[/eluser]
The session_id is an internal key, and should not be used for this purpose. Regeneration is key in preventing session hijacking, and should NOT be disabled.

If you need this functionality, either store the ID you want to check in the userdata in such a way that you can query it reliably via a regex, or add an extra field to the session table that you can query.
I use the same technique to list who is currently logged in, and when they last had an interaction with the application (for which I also added a last_update field).

#3
[eluser]dunicorn[/eluser]
what I do is to have a field in my database called "session_active". If the field is 1 ... then logging in is not allowed ... else allowed .. so you cannot login from different computers at the same time ...

#4
[eluser]WanWizard[/eluser]
How do you toggle this field? I can assume that you set it to 1 when a user logs in, but when will it be reset to 0?

#5
[eluser]dunicorn[/eluser]
when you log out ....

#6
[eluser]Agustín Villalba[/eluser]
Yes! WanWizard is right! How do you reset that field to 0 if, for example, the user closes the browser??

#7
[eluser]dunicorn[/eluser]
"MySession" Model takes care of it such that after some minutes of inactivity .... resets the field and logs you out.

#8
[eluser]Agustín Villalba[/eluser]
dunicorn, could you explain me what is MySession model? or where can I have information about it? Thank you very much!

#9
[eluser]dunicorn[/eluser]
MySession Model is my on self-made model that does my session management for me without stress .... i will place it on my blog soon. check it out later.

#10
[eluser]gyo[/eluser]
IMO it's not hyper complicated: you should have the "session_active" and the "last_update" fields.
If the "session_active" is "1" and the "last_update" is older than the maximum allowed, then the "session_active" it's reset to "0".

It's more or less the same concept as the "who's online" feature.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.