So the problem you want to solve is that the same user cannot be logged into two "machines" at the same time.
Using normal sessions, which stay on the server - either in memory or in the database - you only have one certainty: your user authenticated to the system. You can not find out if he is still logged in or not, unless he expressly informs you - ie: have asked to undress.
To know if the guy is still logged in, just at the time of login check if his email/login is in the database where you save the session (a SELECT email FROM session WHERE email = $email
already resolves). The problem is that you may end up locking your user out of your system until the session expires.
However, there is a way for you to know if he is still using the system, if the tab is still open in his browser: you will use a websocket
client and server side. I won’t dwell on the client implementation, but found a tutorial that looks good about that part.
Think about WebSocket
as a chat room with the server, your client can send messages to the server and the server can send messages to the client and/or clients.
The problem is that this tutorial does not have the server implementation part WebSocket
- because what you already have is a web server, HTTP
. A library I found for PHP is Ratchet. You will literally need to run another server - on another port - to receive the client’s messages. At Ratchet
would be something like:
class WSAuth implements MessageComponentInterface {
public function onOpen(ConnectionInterface $conn) {
// Store the new connection to send messages to later
$this->clients->attach($conn);
echo "New connection! ({$conn->resourceId})\n";
}
public function onMessage(ConnectionInterface $from, $msg) {
// recebe a mensagem do cliente com login e senha
// faz toda a verificação para autenticá-lo
// manda o SessionID de volta pro cliente, e guarda o cookie.
}
public function onClose(ConnectionInterface $conn) {
// desloga o usuário caso o cliente tenha se conectado antes
}
public function onError(ConnectionInterface $conn, \Exception $e) {
// provavelmente você deve deslogar o cara se der erro também
}
}
Another solution would be to send an Ajax every minute to the server and if the client doesn’t send it for 3 minutes you drop it.
This function does not return what I need, this function will check if it is logged in and then send the user to restricted page, what I want and do not let the user log in 2 times with same login and password
– Clayton Eduardo Mergulhão
in that case you would need to save the session in the database and at the time of logging in to verify that the user is not in the database session;
– Danilo
@Danilod but then how will he know if the guy has logged in and missed his session? For example, if he has logged in and entered another browser or mobile phone. I think what @Claytoneduar wants may be some more complex security issue in this case. It would take some kind of constant verification of the validity of the session. The best way to keep this would be by
WebSockets
.– Daniel
@Daniel but the session is global in the database, documentation it could inform in the session the email in the user in the field 'date'. ai logging in before logging in he checked if that email was in the date field, if he had it is because he logged in, even if it is on a different device.
– Danilo
It’s something I think @Daniel said. the Codeigniter’s Secret already recorded in the bank, more if it expires, that’s well what he said my users will access by mobile, tablet and computer, only will not be allowed access with same login more than once, if he is logged in, cannot log in with the same login in different browsers, or on different devices.
– Clayton Eduardo Mergulhão
@Claytoneduardomergulhão then, edits your question to be more accurate, I prepare an answer explaining by high how to do session verification using
WebSockets
. I don’t even know, but I’ve seen it in theory. I just won’t consider ion_auth, because it’s more general than that.– Daniel
@Daniel see if the question got better?
– Clayton Eduardo Mergulhão