Hey everyone, I'm making a little game for fun, and it involves having a player sign in. Lets say I have the player account "Thomas" with the password "Khelavaster", and he signs in and is actively using the site right now.
Now lets say some suspicious other person has found his password and signs into it. The weird thing is that I have two sessions, both linked to one account. This seems like not only a security bug, but it introduces some weird bugs into the game, from having two different sessions.
How can I fix this? I was thinking of something like putting the session ID into the account data in the DB, but that wouldn't keep the second person from logging into the same account. I was also thinking of linking the account to the person's IP address, but I heard IP addresses were easy to spoof, and people's IP addresses change often.
Is this a problem worth worrying about? How would I solve it?
Sessions expire when the browser is closed. However, if more that one browser window is open, it can cause issues
For that, you can look to a combination ofcookies and session variables, and probably some stored procedures or mysql triggers to handle that. Unfortunately, in not too familiar with those to give you specific details.
Look at php.net for session and cookie details to maybe get you started.
When the user logs in one the desktop record, the sessionid, the username or id, and the current time in a row in a table in the database. Anytime the user requests another page or performs some action on your website, update that record with the current time (it's basically like an activity timer).
If a user hasn't been active for XX minutes (e.g. an hour), then you can assume that user has moved away from your site without clicking the logout button.
Therefore, when the same user tries to log in on the laptop, before doing any authentication operations, delete all rows in the table where the session, user, and time are stored, where the time is XX minutes older than now(), then perform the authorization.
That's how it's done.
EDIT: Though I'd mention, if it wasn't immediately obvious, that this method is also useful as an activity timer (I'm sure you've seen websites that log users out after XX minutes of inactivity). Every time a page is requested, just check when the last activity of the current session was in the database, and if you deem it to be too long, then log the user out.
Last edited by aj_nsc; 08-28-2009 at 06:25 AM.
I've switched careers...
I'm NO LONGER a scientist,
but now a web developer...