Prevent multiple logins using session id

ramush · #1 (**permalink**) 06-30-08, 02:40 PM

I would like to prevent multiple logins to my system using the same account simultaneously from different machines. I found a solution posted in this forum 3 years ago but i still have questions.

Reference: http://www.webmasterworld.com/php/3055206.htm
One way to do this would be to save the session id in the db.
So, user comes to your site and is assigned a session id.
If they log in successfuly then save the session id (which is the value stored in the session cookie) in the db in the users table.
For every page they request check that their session id matches the one in the users table.
If it doesn't present another log in screen (and a link to the change password dialog).
If they log in successfully then save the new session id in the db.

1. What is the database structure? where do I save the session id?
2. How do I compar the session id for every page request?
3. How do I know they logged out if they did not click the logout button?

Kelvin · #2 (**permalink**) 06-30-08, 03:52 PM

Hi Ramush

1) for that particular code the table would probably be something like

Code:

CREATE TABLE `sessions` (
`user_id` INT( 11 ) NOT NULL ,
`session_id` VARCHAR( 32 ) NOT NULL ,
`created` TIMESTAMP( 14 ) NOT NULL
) ENGINE = MYISAM ;

The user_id is presumably the Id from the users table, and the session id is just the session has.

2) You can see the person is obtaining this by calling session_id().

3) You won't know when a person has logged out, so each time the person access a page you would need to update the "created" field. Then use a cron to clear records that have not been updated for X minutes (perhaps 20 mins?).

I'd personally do this another way, that person says he has pasted that code into the top of each webpage - which is a pretty bad idea, to change the code he's needs to edit every page again. Instead you should put it into a seperate file (e.g. check_login.php) and then pull this into the webpages you want to secure using the require() or include() functions.

ramush · #3 (**permalink**) 07-01-08, 01:46 PM

Great. I created the table.

1. I have one file called check_password to confirm the user can login
2. Now I created a new file check_session.php which is included in each internal page.

Now I need the code for check_session.php please:
1. Check if there is a session for this user > how?
2. If not, create a session > how? insert to sessions? how do I pass the user_id variable from check_pass to check_session?
3. If there is a session, how do I compare the user session id to the one I stored in my db? get session_id?
4. How do I write a cron job to clear records that have not been updated for X minutes (perhaps 20 mins)?