Check if user is already logged in

Hi,

i have a website , on wich users have to log in
credentials are checked against mysql db
some session vars are set during login for use somewhere else in the
code.

Is there a way to prohibit a user to log in twice.
A was thinking about setting some flag in the db, but in that case i
need some timeout in case a pc can crash for instance so the user does
not logout.

Is it possible to check if a session var ( in another session )
exists??

thanks
fré

re: Check if user is already logged in

"fr?" <griemer@chello.nl> wrote in message
news:fd172af0.0310071136.44d12ec0@posting.google.c om...[color=blue]
> Hi,
>
> i have a website , on wich users have to log in
> credentials are checked against mysql db
> some session vars are set during login for use somewhere else in the
> code.
>
> Is there a way to prohibit a user to log in twice.
> A was thinking about setting some flag in the db, but in that case i
> need some timeout in case a pc can crash for instance so the user does
> not logout.
>
> Is it possible to check if a session var ( in another session )
> exists??[/color]

Session variables are accessible throughout a site, do a print_r
($_SESSION); to see what's in there. Maybe your application isn't using
PHP's sessions but some internal mechanism for dealing with them.

Paulus

re: Check if user is already logged in

as expected, i only see the sessionvars belonging to my own session
On PC1 script says: Array ( [id] => 11 [user] => john )
On PC2 script says: Array ( [id] => 34 [user] => mark )

I cannot see the vars for PC1 on PC2 v.v.. That is probably how it is
meant to be.

What i am trying to check is:
john is logged into PC1
Someone else tries to login on PC2 with username John. Is there a way to
find out that john is already logged in, and prevent this user to login as
John??

fré


"Paulus Magnus" <paulus.magnus@loves-spam.com> schreef in bericht
news:blvn48$5c3$1@titan.btinternet.com...[color=blue]
> "fr?" <griemer@chello.nl> wrote in message
> news:fd172af0.0310071136.44d12ec0@posting.google.c om...[color=green]
> > Hi,
> >
> > i have a website , on wich users have to log in
> > credentials are checked against mysql db
> > some session vars are set during login for use somewhere else in the
> > code.
> >
> > Is there a way to prohibit a user to log in twice.
> > A was thinking about setting some flag in the db, but in that case i
> > need some timeout in case a pc can crash for instance so the user does
> > not logout.
> >
> > Is it possible to check if a session var ( in another session )
> > exists??[/color]
>
> Session variables are accessible throughout a site, do a print_r
> ($_SESSION); to see what's in there. Maybe your application isn't using
> PHP's sessions but some internal mechanism for dealing with them.
>
> Paulus
>
>[/color]

re: Check if user is already logged in

"griemer" <griemer@chello.nl> wrote in message
news:4YXgb.34297$4w.4297194@amsnews03.chello.com.. .[color=blue]
> as expected, i only see the sessionvars belonging to my own session
> On PC1 script says: Array ( [id] => 11 [user] => john )
> On PC2 script says: Array ( [id] => 34 [user] => mark )
>
> I cannot see the vars for PC1 on PC2 v.v.. That is probably how it is
> meant to be.
>
> What i am trying to check is:
> john is logged into PC1
> Someone else tries to login on PC2 with username John. Is there a way to
> find out that john is already logged in, and prevent this user to login[/color]
as[color=blue]
> John??[/color]

Ah I see what your problem is now. Sessions are related to one browsing
session only so no you couldn't see other sessions that were active without
directly accessing the session files on the server, which isn't a wise thing
to do.

With a web browser you can't see when somebody is logged in, only the last
time they did something. If John simply turned his machine off the session
on the server will remain there ad infinitum. You could log the user ids to
a database during login and then you can detect during login that he's
already logged in but he may have rebooted his computer and be trying to get
back in instantly so you'd have to take account of that. Maybe popping up an
Alert box that says "John was active on PC1 45 seconds ago, do you want to
log him out and login as John on this PC?" or something similar. Your only
opportunity to interact with the server is when a page is requested. Sitting
and reading a page, having a coffee, going to the toilet or turning off your
computer don't trigger data transmissions so they're invisible to a web
server.

Paulus

re: Check if user is already logged in

griemer@chello.nl (fr?) wrote in message news:<fd172af0.0310071136.44d12ec0@posting.google. com>...[color=blue]
> Hi,
>
> i have a website , on wich users have to log in
> credentials are checked against mysql db
> some session vars are set during login for use somewhere else in the
> code.
>
> Is there a way to prohibit a user to log in twice.[/color]

Yes, Store both session_id & IP in table, and check the validity
of session on each pages. You may look at
http://martin.f2o.org/download/php-login-script
[color=blue]
> A was thinking about setting some flag in the db, but in that case i
> need some timeout in case a pc can crash for instance so the user does
> not logout.
>
> Is it possible to check if a session var ( in another session )
> exists??[/color]

/**
* IsSessionActive()
*
* @author R. Rajesh Jeba Anbiah
* @description Will work only if the session save handler is default
"files" implementation & session gc probability is higher
* @param $session_id
* @return true/false
**/
function IsSessionActive($session_id)
{
$sess_file = session_save_path()."/sess_".$session_id;
return(file_exists($sess_file));
}


---
"US got a nuclear bomb that can destroy the world 13 times. Russia
got a nuclear bomb that can destroy the world 7 times. But...my
friend! Tell me! CAN YOU KILL A MAN TWICE??!!!!!" -- P.A.Sangma, Peace
loving Indian politician against India's step to go for a nuclear
test.
Email: rrjanbiah-at-Y!com

re: Check if user is already logged in

R. Rajesh Jeba Anbiah wrote:
[color=blue]
> griemer@chello.nl (fr?) wrote in message news:<fd172af0.0310071136.44d12ec0@posting.google. com>...
>[color=green]
>>Hi,
>>
>>i have a website , on wich users have to log in
>>credentials are checked against mysql db
>>some session vars are set during login for use somewhere else in the
>>code.
>>
>>Is there a way to prohibit a user to log in twice.[/color]
>
>
> Yes, Store both session_id & IP in table, and check the validity
> of session on each pages. You may look at
> http://martin.f2o.org/download/php-login-script[/color]

Unfortunately this might not always work. We have some customers on AOL
or behind university round-robin proxies. The requests from these users
come from different IP addresses for each page. If you look in the
request headers
(http://www.zend.com/manual/function....st-headers.php)
I think most proxies add an X-forwarded-for: x.x.x.x header with the
real IP address.

re: Check if user is already logged in

Kevin Thorpe <kevin@pricetrak.com> wrote in message news:<3f8aa25d$0$11458$afc38c87@news.easynet.co.uk >...[color=blue]
> R. Rajesh Jeba Anbiah wrote:
>[color=green]
> > griemer@chello.nl (fr?) wrote in message news:<fd172af0.0310071136.44d12ec0@posting.google. com>...
> >[color=darkred]
> >>Hi,
> >>
> >>i have a website , on wich users have to log in
> >>credentials are checked against mysql db
> >>some session vars are set during login for use somewhere else in the
> >>code.
> >>
> >>Is there a way to prohibit a user to log in twice.[/color]
> >
> >
> > Yes, Store both session_id & IP in table, and check the validity
> > of session on each pages. You may look at
> > http://martin.f2o.org/download/php-login-script[/color]
>
> Unfortunately this might not always work. We have some customers on AOL
> or behind university round-robin proxies. The requests from these users
> come from different IP addresses for each page. If you look in the
> request headers
> (http://www.zend.com/manual/function....st-headers.php)
> I think most proxies add an X-forwarded-for: x.x.x.x header with the
> real IP address.[/color]


I and another prgrammer recently faced a similiar problem. He ran the
java side of our site, and I ran the php side. We had to find a way
to have users log in once on either side and have that login remain
valid for the other side etc etc. Timeouts were a necessity for us
also. In short we set up a sessions table in our db which we would
write our own sessions into while also placing an MD5 sum in a cookie
on the client computer that contained username, pass and date I
believe. It was a while ago. We would then make a call to that
sessions table at page changes which allowed logins to remain valid
accross the language change as long as the user had a valid session.
That's probably a bit more than you'll need to do given that you're
just working in php, but thought I'd post it.

As far as the time out thing, I found it easier to make the login
script simply overwrite any existing sessions if there was a name
duplication. This took care of the comp crashing issues. In
addition, we are running a cronjob every fifteen minutes that queries
the db using a two hour interval to check for stale sessions. To make
that effective, we wrote an automatic session update into our session
checking script etc etc. Just a timestamp update. Have been running
this set up for several months now and it has been working pretty
well.

re: Check if user is already logged in

Kevin Thorpe <kevin@pricetrak.com> wrote in message news:<3f8aa25d$0$11458$afc38c87@news.easynet.co.uk >...[color=blue]
> R. Rajesh Jeba Anbiah wrote:
>[color=green]
> > griemer@chello.nl (fr?) wrote in message news:<fd172af0.0310071136.44d12ec0@posting.google. com>...
> >[color=darkred]
> >>Hi,
> >>
> >>i have a website , on wich users have to log in
> >>credentials are checked against mysql db
> >>some session vars are set during login for use somewhere else in the
> >>code.
> >>
> >>Is there a way to prohibit a user to log in twice.[/color]
> >
> >
> > Yes, Store both session_id & IP in table, and check the validity
> > of session on each pages. You may look at
> > http://martin.f2o.org/download/php-login-script[/color][/color]

Storing session_id alone is quite sufficient. When the user login
to the webpage, store the current session_id in DB and then check the
current session_id on each page with the one in DB. IP check is to
enhance with the error message like "You have been logged off as you
have logged in on a different machine."
[color=blue]
> Unfortunately this might not always work. We have some customers on AOL
> or behind university round-robin proxies. The requests from these users
> come from different IP addresses for each page. If you look in the
> request headers
> (http://www.zend.com/manual/function....st-headers.php)
> I think most proxies add an X-forwarded-for: x.x.x.x header with the
> real IP address.[/color]

Could you post your IP fetch routine? I guess, the problem is
in your code.

---
"We are free from today... Paralyse the country, you are your own
leaders. Do or Die." --- Mahatma Gandhi
Email: rrjanbiah-at-Y!com