No, at least natively does not exist, what you can do is save to the database which session is active, including using the session_set_save_handler
to do so or you can create your own session management system.
A "path of stones" would be:
When the user connects:
if($senhaCorreta && $tudoOk){
$idSessao = session_id();
$AtualizaSessao = $mysqli->prepare('UPDATE tabela
SET idSessao = ?
WHERE idUsuario = ?');
$AtualizaSessao->bind_param('si', $idSessao, $idUsuario);
$AtualizaSessao->execute();
//...
$_SESSION['idUsuario'] = $idUsuario;
}
This will update the idSessao
with the id
of the current session, the value of the cookie.
Now you can just compare:
if (isset($_SESSION['idUsuario'])) {
$BuscaUltimaSessao = $mysqli->prepare('SELECT ultimaSessao
FROM tabela
WHERE idUsuario = ?');
$BuscaUltimaSessao->bind_param('i', $_SESSION['idUsuario']);
$BuscaUltimaSessao->execute();
$BuscaUltimaSessao->bind_result($idSessao);
$BuscaUltimaSessao->fetch();
if (hash_equals(session_id(), $idSessao) === false) {
session_destroy();
echo 'Esta sessão expirou';
} else {
echo 'OK';
}
} else {
echo 'Não há sessão';
}
The logic is very simple, only one session will be in the database, in the column idSessao
, so when the same user connects elsewhere this column will be updated to the corresponding cookie value. This can be tested even in different browsers, once you connect to one and connect to the other the first will be disconnected after refreshing the page.
/!\ This has flaws!
Obviously you should check more things besides the cookie. Like the IP, the browser (...). After all it is possible to duplicate the value of the cookie, this is on the client side, so two different devices can share the same cookie and so connect to the same account, including this is a method of attack. However, it is possible that two devices are using the same browser (or fraud this information) and are using the same IP (for example multiple devices using a single proxy/VPN). Be aware that there will still be two devices/browsers/people being on the same account, I honestly don’t see any solution to this.
This question is quite wide indeed, it depends a lot on how your software architecture is doing, but there must be some class or library that helps you implement multiple login rules on your system
– Erlon Charles
If you have the session saved in the database, yes. I do this whenever someone logs in delete all existing sessions of that user in the BD.
– Jorge B.