Hello,
I am trying to stop users from sharing there login info so that if user1 logs in and is using my application and user2 tries to login with the same login in info it would either log both out or log user1 out. Has anyone done this before with Yii?
Thanks in advance.
Natron
That’s actually a very good idea for an application I am currently working on… I’ll let you know what I come up with (gonna sleep on it… always seems to work for me).
I have done it in one of my normal php application but I think its not the best way. WHat I have done: When user login then you can change his status as logged or something else. When he logout you can change the status to logouted or something you preferred. If user status is logeed then if anyone try to log then you restrict to login. Now what happen if user not logout just close the browser window? you can make a time difference like after 3 hours from his login he will count as logout.
To me its not a good idea and there must be some others way to handle it. Like session saved on database. But I don’t use that way so I can’t tell.
If you get any other idea plz share.
One possible solution…
On every user login generate a random number like md5(rand())+md5(rand()) and store that in the user session and cookie.
On every action check that the cookie value is the same as the session value, if not deny the action.
Maybe have a little AJAX script updating a value in the DB with the current time every 5 minutes. If the browser window is closed the script stops and the person is considered logged out.
I’ve done this some years ago in a non-Yii project and it’s been working very fine until now, never had any issue related to this approach.
So +1 for this solution.
Regards!
Could you tell me more about this, Natron, Junior-df9 and Maurizio? I didn’t quite get it.
I mean, like this:
USER1 login, use login info USER1
get random number = 13.
SESSION = 13
cookies = 13
USER2 login, use login info USER1
get random number = 14
SESSION = 14
cookies = 14
Didn’t both user could login at the same time?
Please enlighten me.
Thanks.
One idea is that you log one user out, before logging another user in. This way, if he refreshes the page, or goes to another site, he will be logged out.
Another idea is to use a combination of AJAX/Comet to kick a logged user out or keep a logged user in, and the newly logged user out.
Thanks.
But I’m not used to AJX/Comet so I used below based on your idea :
Save user session id to global variable array with user id as the key,
if other user login using the the same login info, load and destroy that session in global variable (delete session file).
I finally figure out what mr.domba was talking about. Look like what he talk about was session hijacking.