llping8
asked on
PHP single user login control for website
Dear experts,
I have a problem here. I have search experts-exchange site for some time, but i failed to
find a proper solution.
I am setting up a web site (written in PHP) that will allow multiple user login simultaneously.
But one user is allow to have only one active session at any time.
What I have done to acheive this is:
1) Set up a database table with 2 fields, username & timestamp.
2) On login page, while user sign in, the script will delete any session entry that is more than 20mins old. Then check if the username has an entry in the table. If it is, login failed. Else, login successfull.
3) After a user login, set the username into the session variable, e.g. $_SESSION['username'],
and insert the username and time() into the DB.
4) On top of every web page, the script will check if the session variable is empty. If it is,
it will redirect the user back to login page.
5) Following the check session variable script, a script will update the timestamp in the DB table.
The same script will check if the timestamp in the DB table is more than 20mins old. If
it is, the entry will be deleted.
6) When a user logout, the logout script will remove the user's entry in the database table.
The problem:
When a user logged in the system, his username will always be shown on screen. It is a
direct echo from the $_SESSION['username']. But sometimes, the username will disappear. I
assume the session is expired. But, he still can browse the site freely. Suppose when he
browse other page, the first script that check the session variable will get an "Empty" value,
and redirect the user to login page. But somtimes it didn't happen. In this condition, even though
the user click on logout, the entry in the database table remains because of missing username for deleting
the DB table entry. Then the user will have to wait for 20mins (or less) in order to sign in again.
If the user just close the browser window without click on logout. The entry in DB will
remain and the user will have to wait for 20mins to login again.
Sometimes when a user let the page idle for a while, he click on a link to another page,
it will redirect to the login page. I guess this is due to the system session expired. It is
what the script is doing. But the login data entry in the DB table remains. It will need 20mins
for the user to login again.
Question:
Is there any proper way to avoid a user wait for 20mins to relogin into the web site?
Well, I have been thinking to set the time to 5mins. But, it still didn't
solve the problem.
What is really happen to the session variable. When it expires, the PHP script should
log (redirect) the user out. But sometimes it didn't.
Other info:
1) Script to set the session variable:
$_SESSION['username'] = $username;
2) The script to check seesion:
if (!isset($_SESSION['usernam
{
header('Location:index.php
exit;
}
I have a problem here. I have search experts-exchange site for some time, but i failed to
find a proper solution.
I am setting up a web site (written in PHP) that will allow multiple user login simultaneously.
But one user is allow to have only one active session at any time.
What I have done to acheive this is:
1) Set up a database table with 2 fields, username & timestamp.
2) On login page, while user sign in, the script will delete any session entry that is more than 20mins old. Then check if the username has an entry in the table. If it is, login failed. Else, login successfull.
3) After a user login, set the username into the session variable, e.g. $_SESSION['username'],
and insert the username and time() into the DB.
4) On top of every web page, the script will check if the session variable is empty. If it is,
it will redirect the user back to login page.
5) Following the check session variable script, a script will update the timestamp in the DB table.
The same script will check if the timestamp in the DB table is more than 20mins old. If
it is, the entry will be deleted.
6) When a user logout, the logout script will remove the user's entry in the database table.
The problem:
When a user logged in the system, his username will always be shown on screen. It is a
direct echo from the $_SESSION['username']. But sometimes, the username will disappear. I
assume the session is expired. But, he still can browse the site freely. Suppose when he
browse other page, the first script that check the session variable will get an "Empty" value,
and redirect the user to login page. But somtimes it didn't happen. In this condition, even though
the user click on logout, the entry in the database table remains because of missing username for deleting
the DB table entry. Then the user will have to wait for 20mins (or less) in order to sign in again.
If the user just close the browser window without click on logout. The entry in DB will
remain and the user will have to wait for 20mins to login again.
Sometimes when a user let the page idle for a while, he click on a link to another page,
it will redirect to the login page. I guess this is due to the system session expired. It is
what the script is doing. But the login data entry in the DB table remains. It will need 20mins
for the user to login again.
Question:
Is there any proper way to avoid a user wait for 20mins to relogin into the web site?
Well, I have been thinking to set the time to 5mins. But, it still didn't
solve the problem.
What is really happen to the session variable. When it expires, the PHP script should
log (redirect) the user out. But sometimes it didn't.
Other info:
1) Script to set the session variable:
$_SESSION['username'] = $username;
2) The script to check seesion:
if (!isset($_SESSION['usernam
{
header('Location:index.php
exit;
}
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Dear experts,
I have change my approach.
I leave the session alone and work on the single user login separately.
Now, I include an IFRAME on every page. In the frame, there is a PHP page that with HTML META tag - refresh.
The PHP code in IFRAME will update the database with the latest time every 15sec. Thus, as long as the user is viewing a page, it will refresh, and the username will always exist in the DB table. The same username cannot login again. If the existing user logout or close the window, the DB table will stop being refreshed. Another code will check and delete those entries with idle time more than 30 seconds. After that, the same user can login again. So, the longest time a user have to wait is around 30sec.
It works fine. But it seems like the original session.gc_maxlifetime is not working anymore. The user session will not expire after idle for 24 mins.
I have change my approach.
I leave the session alone and work on the single user login separately.
Now, I include an IFRAME on every page. In the frame, there is a PHP page that with HTML META tag - refresh.
The PHP code in IFRAME will update the database with the latest time every 15sec. Thus, as long as the user is viewing a page, it will refresh, and the username will always exist in the DB table. The same username cannot login again. If the existing user logout or close the window, the DB table will stop being refreshed. Another code will check and delete those entries with idle time more than 30 seconds. After that, the same user can login again. So, the longest time a user have to wait is around 30sec.
It works fine. But it seems like the original session.gc_maxlifetime is not working anymore. The user session will not expire after idle for 24 mins.
You're breaking your session, that's why it's not timing out. Your workaround really is not a good idea. What happens if someone leaves their computer on that page? Do you just let it refresh forever? You really should figure out what's wrong with your session implementation and fix it. I'm not sure why you're so interested in storing it in the database, but you can use a custom session handler for that and it's really not that hard.
ASKER
Dear ClickCentric,
You are correct. The concern is if someone keep the page open forever.
I don't understand how to use a custom session handler for the purpose of letting one user to login at one time. Can you show me how? In my knowledge, if someone login the system, the session will register. But then, if he try to login using another computer or browser, how can the system know that the user already login? because they are 2 different session. Can one session check if there is another session that has the same userid exist?
Thanks.
You are correct. The concern is if someone keep the page open forever.
I don't understand how to use a custom session handler for the purpose of letting one user to login at one time. Can you show me how? In my knowledge, if someone login the system, the session will register. But then, if he try to login using another computer or browser, how can the system know that the user already login? because they are 2 different session. Can one session check if there is another session that has the same userid exist?
Thanks.
If they're logging in, they're using some sort of username. You determine whether they're logged in based on that. Whether or not you use sessions to store that information is another matter. Session handlers are good for that, but I think you're misunderstanding how sessions operate and what you have to do in order to prevent them from going away/timing out. You should really look at www.php.net and read up on them. Or even better, find a book that deals with them with real-world scenarios. They have to be interwoven into your site and they sometimes require parameter tweaking to get the desired results. It's not the type of thing where I can just say add this line to this file and everything will work (while it is possible that's all you need, I'd need to see all of the source code to determine that).
ASKER
Thank you very much. ClickCenteric.
I appreciate your information. I think I need to do a deep study in this issue.
I appreciate your information. I think I need to do a deep study in this issue.
ASKER
I have refer to zend_auth framework, i can't find a way to implement it to solve my problem yet.