PHP single user login control for website
Posted on 2007-03-22
I have a problem here. I have search experts-exchange site for some time, but i failed to
find a proper solution.
I am setting up a web site (written in PHP) that will allow multiple user login simultaneously.
But one user is allow to have only one active session at any time.
What I have done to acheive this is:
1) Set up a database table with 2 fields, username & timestamp.
2) On login page, while user sign in, the script will delete any session entry that is more than 20mins old. Then check if the username has an entry in the table. If it is, login failed. Else, login successfull.
3) After a user login, set the username into the session variable, e.g. $_SESSION['username'],
and insert the username and time() into the DB.
4) On top of every web page, the script will check if the session variable is empty. If it is,
it will redirect the user back to login page.
5) Following the check session variable script, a script will update the timestamp in the DB table.
The same script will check if the timestamp in the DB table is more than 20mins old. If
it is, the entry will be deleted.
6) When a user logout, the logout script will remove the user's entry in the database table.
When a user logged in the system, his username will always be shown on screen. It is a
direct echo from the $_SESSION['username']. But sometimes, the username will disappear. I
assume the session is expired. But, he still can browse the site freely. Suppose when he
browse other page, the first script that check the session variable will get an "Empty" value,
and redirect the user to login page. But somtimes it didn't happen. In this condition, even though
the user click on logout, the entry in the database table remains because of missing username for deleting
the DB table entry. Then the user will have to wait for 20mins (or less) in order to sign in again.
If the user just close the browser window without click on logout. The entry in DB will
remain and the user will have to wait for 20mins to login again.
Sometimes when a user let the page idle for a while, he click on a link to another page,
it will redirect to the login page. I guess this is due to the system session expired. It is
what the script is doing. But the login data entry in the DB table remains. It will need 20mins
for the user to login again.
Is there any proper way to avoid a user wait for 20mins to relogin into the web site?
Well, I have been thinking to set the time to 5mins. But, it still didn't
solve the problem.
What is really happen to the session variable. When it expires, the PHP script should
log (redirect) the user out. But sometimes it didn't.
1) Script to set the session variable:
$_SESSION['username'] = $username;
2) The script to check seesion:
header('Location:index.php?redirection=' . urlencode($_SERVER['PHP_SELF'] . '?' . $_SERVER['QUERY_STRING']) );