Re: [Phplib-users] One User logged in at the same time...

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

i have not done this, but it's certainly possible.  One thing you could
do is create a new table for logging who has been authenticated.  i have
done this by adding this function to my auth class.

  function log_auth($uid,$first_name,$last_name,$email) {

    global $HTTP_REFERER, $REMOTE_ADDR, $HTTP_USER_AGENT;

    $db  = new DB_simple;
    $table = "auth_stats";

    $now = date("YmdHis", time());
    $query = sprintf("insert into %s
(user_id,first_name,last_name,email,start_time,addr,user_agent) values
('%s','%s','%s','%s','%s','%s','%s')",
    $table,
    $uid,
    $first_name,
    $last_name,
    $email,
    $now,
    $REMOTE_ADDR,
    $HTTP_USER_AGENT);

    $db->query($query);

  }

But if you did this where the user is being authenticated and you put
the last_insert_id() into the table, you would be able check both the
session table and this auth log table for someone logged in.  Does that
make sense?

Jens Benecke wrote:
> 
> On Tue, Nov 06, 2001 at 06:58:52PM +0100, Sascha Ragtschaa wrote:
> 
> > I have a problem. I am using PHPlib and need a way of authentification,
> > in which a user logs into a system, and will be recognized that he is a
> > logged user. If another user tries to log in with the same Account
> > (username, password), he has to be rejected. Only one user with the same
> > account should be in the system at one time! How can I do such thing with
> > PHPlib? Did anyone already write a function of that?
> 
> This will not be easy to do, because HTTP still is a stateless protocol.
> There is no such state as 'logged in' because there are no states in a
> stateless protocol, and even sessions cannot really help this.
> 
> What is 'logged in'? That means a user with a certain IP address has
> provided sufficient credentials (login, password, cookies, etc) to be
> treated as a 'known person'. It does NOT mean that the user is connected to
> the server at all times, so you never know when (if!) s?he'll 'log off'
> (i.e. close h{is,er} browser window and so destroy the session cookie
> pointing to the login data). S?he can be idle for hours, even days, and
> then suddenly make another request for a page, including the session cookie
> or URL parameter that qualifys h{im,er} for a logged in user.
> 
> What you need is something that guarantees a log-off. I can imagine
> something like this being done with Javascript, with a 'onClose=' and/or
> 'onUnLoad=' in the HTML BODY tag that calls a log-off script.  This will
> annoy many users though because closing the window pops up another one (and
> don't tell me you've never seen sites where this is used. Just about every
> pr0n site uses it. ;)  You will also need a "Redirect: $TIME,
> $logout_page") HTTP header to log off automatically after idle time. You
> will probably need to take care of several more methods of not logging off.
> 
> If you don't guarantee log-off, the second user will be refused until the
> session of the first user expires, which can be days. This is probably not
> what you want. ;)

-- 
~darcy w. christ
Elegant Communications Inc.
416.362.9772 x222 | 416.362.8324 fax