Two different people, same account, same time
Hey everyone, I'm making a little game for fun, and it involves having a player sign in. Lets say I have the player account "Thomas" with the password "Khelavaster", and he signs in and is actively using the site right now.
Now lets say some suspicious other person has found his password and signs into it. The weird thing is that I have two sessions, both linked to one account. This seems like not only a security bug, but it introduces some weird bugs into the game, from having two different sessions.
How can I fix this? I was thinking of something like putting the session ID into the account data in the DB, but that wouldn't keep the second person from logging into the same account. I was also thinking of linking the account to the person's IP address, but I heard IP addresses were easy to spoof, and people's IP addresses change often.
Is this a problem worth worrying about? How would I solve it?
The trick with sessions is that it's a "conversation" between the server and the browser, so that second session isn't interacting with the first session at all.
Each session carries it's own ID.
one way you could control duplicate logins would be to have a sessions table in your database that would write a new row with a unique value such as the user name.
When a user logs in, it checks the table for said unique value. When the user logs off, you can delete that row from the database.
Yeah, I was thinking about something like that... if I were to do that, this would happen:
User signs on from his desktop computer, does his stuff, and closes his browser window without logging out, because his favorite show is on TV.
He grabs his laptop, goes downstairs, sits down, opens his laptop, signs on as himself. He's denied, because he didn't sign out on his desktop computer.
Now he has to walk all the way upstairs, hope that his session didnt expire, and log out.
What a conundrum...
Sessions expire when the browser is closed. However, if more that one browser window is open, it can cause issues
For that, you can look to a combination ofcookies and session variables, and probably some stored procedures or mysql triggers to handle that. Unfortunately, in not too familiar with those to give you specific details.
Look at php.net for session and cookie details to maybe get you started.
When the user logs in one the desktop record, the sessionid, the username or id, and the current time in a row in a table in the database. Anytime the user requests another page or performs some action on your website, update that record with the current time (it's basically like an activity timer).
If a user hasn't been active for XX minutes (e.g. an hour), then you can assume that user has moved away from your site without clicking the logout button.
Therefore, when the same user tries to log in on the laptop, before doing any authentication operations, delete all rows in the table where the session, user, and time are stored, where the time is XX minutes older than now(), then perform the authorization.
That's how it's done.
EDIT: Though I'd mention, if it wasn't immediately obvious, that this method is also useful as an activity timer (I'm sure you've seen websites that log users out after XX minutes of inactivity). Every time a page is requested, just check when the last activity of the current session was in the database, and if you deem it to be too long, then log the user out.
Last edited by aj_nsc; 08-28-2009 at 06:25 AM.
I've switched careers...
I'm NO LONGER a scientist,
but now a web developer...
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread