1
Is there any tool or something of the kind to check if the same user is logging in in two different locations and bring down the older login?
Example: I’m logged in to the PHP system that uses Session for authentication verification, so another person who has my password logs into the system. Then the system will automatically take me out of the system and leave only the new login using the system. To try to ensure that not ONE login is logged into the system on two different machines.
1
No, at least natively does not exist, what you can do is save to the database which session is active, including using the session_set_save_handler to do so or you can create your own session management system.
A "path of stones" would be:
When the user connects:
if($senhaCorreta && $tudoOk){
$idSessao = session_id();
$AtualizaSessao = $mysqli->prepare('UPDATE tabela
SET idSessao = ?
WHERE idUsuario = ?');
$AtualizaSessao->bind_param('si', $idSessao, $idUsuario);
$AtualizaSessao->execute();
//...
$_SESSION['idUsuario'] = $idUsuario;
}
This will update the idSessao with the id of the current session, the value of the cookie.
Now you can just compare:
if (isset($_SESSION['idUsuario'])) {
$BuscaUltimaSessao = $mysqli->prepare('SELECT ultimaSessao
FROM tabela
WHERE idUsuario = ?');
$BuscaUltimaSessao->bind_param('i', $_SESSION['idUsuario']);
$BuscaUltimaSessao->execute();
$BuscaUltimaSessao->bind_result($idSessao);
$BuscaUltimaSessao->fetch();
if (hash_equals(session_id(), $idSessao) === false) {
session_destroy();
echo 'Esta sessão expirou';
} else {
echo 'OK';
}
} else {
echo 'Não há sessão';
}
The logic is very simple, only one session will be in the database, in the column idSessao, so when the same user connects elsewhere this column will be updated to the corresponding cookie value. This can be tested even in different browsers, once you connect to one and connect to the other the first will be disconnected after refreshing the page.
/!\ This has flaws!
Obviously you should check more things besides the cookie. Like the IP, the browser (...). After all it is possible to duplicate the value of the cookie, this is on the client side, so two different devices can share the same cookie and so connect to the same account, including this is a method of attack. However, it is possible that two devices are using the same browser (or fraud this information) and are using the same IP (for example multiple devices using a single proxy/VPN). Be aware that there will still be two devices/browsers/people being on the same account, I honestly don’t see any solution to this.
Thank you, I think a light appeared kkkkkkkkkkkkk I liked the idea, to implement this way, even putting login date and other things to try to decrease the flaws. Thank you
0
In PHP you can use Sessions, that is every time the user logs in you will register the session.
Sessions Documentation - W3cschool
<?php
session_start();
?>
<!DOCTYPE html>
<html>
<body>
<?php
print_r($_SESSION);
?>
</body>
</html>
Now just create an algorithm to get the list of sessions on the server and apply precisely the concept you yourself mentioned.
ok, only when the user logs in and uses the system, in this $_SESSION I see PHP only take his Session, not the others. I could not find anything that would return me the active Sesssions in PHP to make a comparison or anything.
Ideally you store the session in a table for eventual comparisons...you probably have a table of users, add a field for the session and retrieve them through queries...
Really the ideal is to store the session in a table every time the user logs in, so you will have an updated table every login with the user’s session. Then you can check multi-session users. [link]https://stackoverflow.com/questions/11931401/php-session-for-multiple-users-at-once
Browser other questions tagged php session
You are not signed in. Login or sign up in order to post.
This question is quite wide indeed, it depends a lot on how your software architecture is doing, but there must be some class or library that helps you implement multiple login rules on your system
– Erlon Charles
If you have the session saved in the database, yes. I do this whenever someone logs in delete all existing sessions of that user in the BD.
– Jorge B.