php - check if the user with email X has 1 or 2 open sessions

Asked

Viewed 63 times

2

Good,

I would like to know what is the safest and easiest way to check if a user is connected 2x in the same email. If he is he simply cancels 1 and gets the other.

How can I make that check?

1 answer

0


There are several ways to do this. One option is to create a hashed value that is saved in the database for a later check. For example:

After the user confirms the email and password you open a session:

session_start();

$email = '[email protected]';

// esse é o valor gerado no após a confirmação do usuário
$valor_da_sessao = crypt($email, md5(date("d/m/Y H:i:s")));

$_SESSION['user'] = $valor_da_sessao;

// salva a sessao no banco de dados

$query = mysqli_query($conexao, "UPDATE sessao SET valor = '$valor_da_sessao' WHERE email = '$email'");

if($query){
    echo "DEU CERTO!";
    header("Location: pagina_inicial.php");
} else {
    echo "DEU ERRADO!"
}

Now, you just check, with each user action, if the session used by him is the original session.

Thus:

session_start();

$valor_da_sessao = $_SESSION['user'];

$query = mysqli_query($conexao, "SELECT * FROM sessao WHERE valor = '$valor_da_sessao'");

if(mysqli_num_rows($query) == 0){
    /*

        ESSA SESSÃO NÃO É ORIGINAL

    */

    unset($_SESSION['user']);
    session_destroy();
}

EDIT

After a few comments from @Inkeliz, they showed me that it’s really easy to circumvent the above answer. But it’s easy to fix too! For this, you need to change each user action the session value and the bank value. It will be impossible, this way, the same user be in 2 places at the same time.

Thus:

session_start();

$email = '[email protected]';

if(isset($_SESSION['user'])){

    $valor_da_sessao = $_SESSION['user'];

    $query = mysqli_query($conexao, "SELECT * FROM sessao WHERE valor = '$valor_da_sessao'");

    if(mysqli_num_rows($query) == 0){

        /*

            ESSA SESSÃO NÃO É ORIGINAL

        */

        unset($_SESSION['user']);
        session_destroy();

    } else {

        /*

            ESSA SESSÃO É ORIGINAL
            CRIA UM NOVO VALOR
            SALVA NO BANCO

        */

        $valor_da_sessao = crypt($email, md5(date("d/m/Y H:i:s")));

        $_SESSION['user'] = $valor_da_sessao;

        mysqli_query($conexao, "UPDATE sessao SET valor = '$valor_da_sessao' WHERE email = '$email'");

    }

}
  • -1 This does not work. If the customer clones the identification cookie (PHPSESSID) it can be used on infinite devices. Therefore, it does not solve the problem.

  • @Inkeliz sincerely. I researched about "cloning" cookies and the closest thing to that was the old Hijacking attack. I copied the entire Chrome file directory on my pc after opening the session and pasted it on my laptop and the session was not open. And if it’s some kind of hack or security issue, I don’t think it’s at the heart of the matter itself. If you have any material that can help me to deepen on this I appreciate it..

  • Just from an F12, enter the site, copy the cookies present in the header and set them on another device, can use Javascript. Or, you can use an "Edit this cookie" plug-in and copy the content, in this case the session identifier.

  • Your goal is to prevent access on multiple devices. If there is a "hack", or consider this a, then your goal is not achieved

  • @Inkeliz thanks for the help. Take a look at the current answer.

  • 1

    This employee, if you do not use the same date, since looking at the clock is not random and the email is predictable too... You can simply use random_bytes, for example random_bytes(32). This can be used in both cases, but in the first case there would have to be a reference between the user and the random value. But either way, it has a side effect... a person with a device, but multiple flaps, won’t be able to use it. A person can send the request, but fail to receive the answer, common in unstable connections (mobile Internet wing in the middle of the road).

Show 1 more comment

Browser other questions tagged

You are not signed in. Login or sign up in order to post.