Full view of active sessions

[Ney andré de mello zunino]

Hello.

Is there any facility in PHP's session management library which allows
one to have a full view of the active sessions? In other words, is it
possible to check the existance and value of a given session variable in
any of the active sessions?

My goal is to make sure a user's access information is not used more
than once to log into the system. So, when a user submits the
authentication data, I would like to see if that login has already been
used, i.e., there is a session variable in some session storing the
login name and which contains the same value.

At present, I can't think of another way of doing it other than directly
accessing the session files on /tmp (assuming session data is being
stored in files). But I don't like that idea quite so much. A cleaner
solution which I have also considered is to have a column in the users
table which indicates his login state. Before I go for the latter
approach, I would just like to learn from you whether what I asked is
possible.

Thanks in advance,

--
Ney André de Mello Zunino

[Jeremy Johnstone]

Here is a possible solution, but I don't know if it will work for your
purposes:

When a user logs in to your site, as part of the session store a random
string (say a logincheck). Also insert this value into the database on
the same row as the username/password is stored. Then on every page load
check and make sure that "logincheck" string is valid. If someone tries
to login again, the new "logincheck" will be stored in the database, and
thus will make the first session invalid.

The only drawback to this approach is that it logs out the first user,
and doesn't notify the second user they shouldn't be logging in twice.
It still does the job of allowing only one login per user quite
effectively though.

Jeremy

On Tue, 2003-09-23 at 17:38, Ney André de Mello Zunino wrote:

> Hello.
>
> Is there any facility in PHP's session management library which allows
> one to have a full view of the active sessions? In other words, is it
> possible to check the existance and value of a given session variable in
> any of the active sessions?
>
> My goal is to make sure a user's access information is not used more
> than once to log into the system. So, when a user submits the
> authentication data, I would like to see if that login has already been
> used, i.e., there is a session variable in some session storing the
> login name and which contains the same value.
>
> At present, I can't think of another way of doing it other than directly
> accessing the session files on /tmp (assuming session data is being
> stored in files). But I don't like that idea quite so much. A cleaner
> solution which I have also considered is to have a column in the users
> table which indicates his login state. Before I go for the latter
> approach, I would just like to learn from you whether what I asked is
> possible.
>
> Thanks in advance,
>
> --
> Ney André de Mello Zunino

[Jason Sheets]

I've used this technique quiet effectively in the past. I played
around with some timeouts to try to prevent the second user from logging
in but because of the nature of HTTP it is very hard to tell when
someone has logged out when they don't click the logout button and you
wind up preventing them from logging in again which is not good.

Jeremy Johnstone wrote:

>Here is a possible solution, but I don't know if it will work for your
>purposes:
>
>When a user logs in to your site, as part of the session store a random
>string (say a logincheck). Also insert this value into the database on
>the same row as the username/password is stored. Then on every page load
>check and make sure that "logincheck" string is valid. If someone tries
>to login again, the new "logincheck" will be stored in the database, and
>thus will make the first session invalid.
>
>The only drawback to this approach is that it logs out the first user,
>and doesn't notify the second user they shouldn't be logging in twice.
>It still does the job of allowing only one login per user quite
>effectively though.
>
>Jeremy
>
>On Tue, 2003-09-23 at 17:38, Ney André de Mello Zunino wrote:
>
>

>>Hello.
>>
>>Is there any facility in PHP's session management library which allows
>>one to have a full view of the active sessions? In other words, is it
>>possible to check the existance and value of a given session variable in
>>any of the active sessions?
>>
>>My goal is to make sure a user's access information is not used more
>>than once to log into the system. So, when a user submits the
>>authentication data, I would like to see if that login has already been
>>used, i.e., there is a session variable in some session storing the
>>login name and which contains the same value.
>>
>>At present, I can't think of another way of doing it other than directly
>>accessing the session files on /tmp (assuming session data is being
>>stored in files). But I don't like that idea quite so much. A cleaner
>>solution which I have also considered is to have a column in the users
>>table which indicates his login state. Before I go for the latter
>>approach, I would just like to learn from you whether what I asked is
>>possible.
>>
>>Thanks in advance,
>>
>>--
>>Ney André de Mello Zunino
>>
>>

>
>
>