PHP /SESSION: Login one per user?

Question

How can i do so only 1 can be online for the 1 user at the time? Idea ?

So you e.g can not login to User1 on one pc/browser and then on the other pc/browser login to

Answer 1

I sort of have the same task where I only want the user to have one session only. This so it can only be he/she who uses the account, and not a whole lot of other people.

The way I have designed it is that I have one table where I am storing start and end of session. This to be used for the user to see how long the last visit took and when he/she was last online.

Then I have designed a session-table where I am updating the time/date whenever the user does something. If the time here is older than 30-60 minutes (haven't decided the span yet), the session value will be removed. This so the user can log in again later if he decides to do so. But not within the 30-60 timespan lock.

The session-table will be traced by a cron job.

Answer 2

No need to use sessions. Just make a column in your database users table whether a user is logged in or not. Check it from there.

The column can be named LoggedIn and can be a enum ('Yes','No'). Also, store the time of last login in some column LastLoggedIn So, when a user wants to login, first check:

select 1 from users where ID = {$UserID} and `LoggedIn` = 'No'

If a row is returned, let him/her login.

If someone forgets to logout:

Run a cron job or script that would reset the LoggedIn status after a set period of time of users which are logged in for longer than few hours by checking LastLoggedIn time.

Answer 3

This solution doesn't require you to access the database on every page and doesn't lock out the user after they failed to log out.

Add a field for sessionID to your user table in the database.

Set the default session handler before calling session_start():

session_set_save_handler(new \SessionHandler());

On every successful login, retrieve the stored $sessionID from the database. Destroy the old session with:

(new \SessionHandler())->destroy($sessionID);

Get the new session ID with:

$sessionID = session_id();

Store the new session ID to the database.

Answer 4

Just for anyone who might need this in the future.

When a user creates a session or logs in you could take the session id that it generates and store it into a column in your database under that user's account. Then on each page on your application do a check to see if the current Session ID matches the one stored in the database for that user. If not, kill the current session and redirect them to a sign in page.

That way, the session id will be different on each device they are using to login.

Answer 5

You could store the session ID (and last access time) in a database, and reject login attempts for users with different session IDs if the last-access time is too recent(say, within the past 20 minutes). Clear the ID on logout, of course.

Note, though, if a user closes their browser without logging out and then reopens it, they may well be locked out for a while (the 20 minutes above, or whatever interval you decide on), since they won't have the matching session cookie anymore.

Answer 6

I assume you save users in a database, add an active_session field, update it upon login, and check it on requests to ensure that current user session id matches the last one stored in the database.

On Login:

UPDATE `users` SET `active_session`='$session_id';

When user goes to a page that requires login, you search that value:

SELECT * FROM users WHERE `active_session`='$session_id';

this way, if the user signs in other place, the previous session key gets overwriten, and the SELECT above returns an empty resultset.