• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
I'm in a hurry. Auth cookie is shared between browser instances and customer complains. Tried RA-Session but it fails!!!

#1
[eluser]gon[/eluser]
Hi all,

We've got a nearly finished app (a quite complex one I must say).
For authenticating users I've prepared a custom Auth library, based on cookies (using NG-Session from the wiki).

the customer says he doesn't like that 2 users can't be logged at the same time, with the same browser in the same computer. If a user logs and another is already logged, the latter will see the other user data when refreshing.

I'm I doing something bad or is this a common problem when using cookies.

And I've tried RA-Session, that uses PHP-sessions, but I always get an error message saying
that headers have been sent.
I've double checked nothing is sent before loading the class and that there are no blank lines at the end of my files.

any help will be much appreciated (solving the cookie prolem or with RA-Session).

Cheers

#2
[eluser]bugboy[/eluser]
so two users using the same computer at the same time logged in twice with two separate users?

Ive never heard of that and wouldn't that be even more of a security risk to allow such a thing?

The way i see it one computer one user at a time. User logs out and allows for new user.

I prob have mis read all youo said so sorry if that makes no sense?

#3
[eluser]Pascal Kriete[/eluser]
[quote author="gon" date="1207929603"]
the customer says he doesn't like that 2 users can't be logged at the same time, with the same browser in the same computer. If a user logs and another is already logged, the latter will see the other user data when refreshing.

I'm I doing something bad or is this a common problem when using cookies.
[/quote]

I don't know about other browsers, but Firefox shares sessions across tabs and instances regardless of what type of session (cookies and native). I'm also curious as to when you would ever encounter that case. How do you have two people using the same computer/browser at one time?
Quote:Would you hurry up, I need the mouse.

#4
[eluser]gon[/eluser]
Thanx for the answers.

Yep, it's stupid that somebody would do that, but the customer says yes. A pal could let another one his computer for getting into the page, the user wouldn't press logout, and the first one would see other's data.
For me it's just stupid, but he complains, so I need arguments.


So u say that even if I use native sessions, will keep doing the same.
Maybe I prefer that, so I won't try to change it.


Well, if somebody do things differently, info would be greatly appreciated.

#5
[eluser]Vince Stross[/eluser]
The only thing you could do is open the site in seperate browser programs. Again, this is really a stupid user request.

Ask the user what color the database should be...

At any rate, you could open the site in Firefox, then IE, then Opera, then Safari, etc.. and you could have a separate session on the same box that way. People could still see another person's data but the argument for the customer there is:

"How could you expect the computer to be able to know who is sitting in the chair?" Ask the if they want to invest in some sort of artificial intelligence or extraneous device that monitors the users DNA and knows who is sitting in the chair or holding the mouse.

Have fun! (I love customers...)

#6
[eluser]Pascal Kriete[/eluser]
There's a really easy solution to this. You put a nice big banner at the top that says "Remember to log the f*** out!".

@beyondCiv: for best results databases should always be pink

#7
[eluser]xwero[/eluser]
A possible scenario will be one person is on the site and a friend is with him/her and the friend needs access to his/her profile so they change places.
The problem with this scenario and your clients request is that the first person will not be able to change things with his profile.

If the user is so careless to not log off and leaves the browser open on a public computer it's his responsibility. If people write their pin code on their bankcard and it gets lost the banks are not liable.

#8
[eluser]Rick Jolly[/eluser]
Ok, no one has said it but you can use two sessions with IE using 2 windows on the same computer using native sessions (where the session cookie is kept in memory and expires when the browser closes). Note that IE will share the same session in different tabs of the same window though.

This is a brower limitation/feature though. Your client just needs to be educated that it is beyond your control.

#9
[eluser]gon[/eluser]
Thanks Rick,

Having done some tests with other websites I suspected that, and that's why I was trying to use RA-Session.
But the gain is small (does anyone use IE nowadays :-) ), and the effort is quite big.

So I'll probably let things as they are.

regards.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.