As far as I know, we can login with same username from different places (or different browsers) in Yii isn’t it?
I want to make that only one user can log in once, meaning if someone login with the same username from other place, while the username is currently online, it will immediately log off.
My first idea to validating this is via checking the session. So when someone login, the application will check whether there is such username in session, if there is, then clear that session, and log the user that login latter. But I don’t know how to check the session…
I haven’t done this in Yii, but my login system works like this:
You log in (first time)
Save the session id and time of login to database
On the site, I use an Ajax script to update a field on the database with the last time active
When you logout, I clear the session id.
When you try to login again (with an active session)
I check the session id and if it is the same and the last time active is less than 20 minutes, the go ahead
if the session is different and the last time active is less than 20 minutes, then don’t let login
You can never be 100% certain that a particular user is who he claims to be, that is the nature of the WWW, that’s why we have cookies and other methods, that are still not 100% accurate, but can be pretty good.
That’s why I check for the 20 minutes of last activity. If for some reason I left the site and didn’t close my session properly, I can wait 20 minutes and login again.
/**
* session_validate()
* Will check if a user has a encrypted key stored in the session array.
* If it returns true, user is the same as before
* If the method returns false, the session_id is regenerated
*
* @param {String} $email The users email adress
* @return {boolean} True if valid session, else false
*/
public function session_validate( )
{
// Encrypt information about this session
$user_agent = $this->session_hash_string($_SERVER['HTTP_USER_AGENT'], $this->user_email);
// Check for instance of session
if ( session_exists() == false )
{
// The session does not exist, create it
$this->session_reset($user_agent);
}
// Match the hashed key in session against the new hashed string
if ( $this->session_match($user_agent) )
{
return true;
}
// The hashed string is different, reset session
$this->session_reset($user_agent);
return false;
}
/**
* session_exists()
* Will check if the needed session keys exists.
*
* @return {boolean} True if keys exists, else false
*/
private function session_exists()
{
return isset($_SESSION['USER_AGENT_KEY']) && isset($_SESSION['INIT']);
}
/**
* session_match()
* Compares the session secret with the current generated secret.
*
* @param {String} $user_agent The encrypted key
*/
private function session_match( $user_agent )
{
// Validate the agent and initiated
return $_SESSION['USER_AGENT_KEY'] == $user_agent && $_SESSION['INIT'] == true;
}
/**
* session_encrypt()
* Generates a unique encrypted string
*
* @param {String} $user_agent The http_user_agent constant
* @param {String} $unique_string Something unique for the user (email, etc)
*/
private function session_hash_string( $user_agent, $unique_string )
{
return md5($user_agent.$unique_string);
}
/**
* session_reset()
* Will regenerate the session_id (the local file) and build a new
* secret for the user.
*
* @param {String} $user_agent
*/
private function session_reset( $user_agent )
{
// Create new id
session_regenerate_id(TRUE);
$_SESSION = array();
$_SESSION['INIT'] = true;
// Set hashed http user agent
$_SESSION['USER_AGENT_KEY'] = $user_agent;
}
/**
* Destroys the session
*/
private function session_destroy()
{
// Destroy session
session_destroy();
}
