Re: [Phplib-users] One User logged in at the same time...
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] One User logged in at the same time...
|
From: darcy w. c. <da...@el...> - 2001-11-06 19:41:35
|
i have not done this, but it's certainly possible. One thing you could
do is create a new table for logging who has been authenticated. i have
done this by adding this function to my auth class.
function log_auth($uid,$first_name,$last_name,$email) {
global $HTTP_REFERER, $REMOTE_ADDR, $HTTP_USER_AGENT;
$db = new DB_simple;
$table = "auth_stats";
$now = date("YmdHis", time());
$query = sprintf("insert into %s
(user_id,first_name,last_name,email,start_time,addr,user_agent) values
('%s','%s','%s','%s','%s','%s','%s')",
$table,
$uid,
$first_name,
$last_name,
$email,
$now,
$REMOTE_ADDR,
$HTTP_USER_AGENT);
$db->query($query);
}
But if you did this where the user is being authenticated and you put
the last_insert_id() into the table, you would be able check both the
session table and this auth log table for someone logged in. Does that
make sense?
Jens Benecke wrote:
>
> On Tue, Nov 06, 2001 at 06:58:52PM +0100, Sascha Ragtschaa wrote:
>
> > I have a problem. I am using PHPlib and need a way of authentification,
> > in which a user logs into a system, and will be recognized that he is a
> > logged user. If another user tries to log in with the same Account
> > (username, password), he has to be rejected. Only one user with the same
> > account should be in the system at one time! How can I do such thing with
> > PHPlib? Did anyone already write a function of that?
>
> This will not be easy to do, because HTTP still is a stateless protocol.
> There is no such state as 'logged in' because there are no states in a
> stateless protocol, and even sessions cannot really help this.
>
> What is 'logged in'? That means a user with a certain IP address has
> provided sufficient credentials (login, password, cookies, etc) to be
> treated as a 'known person'. It does NOT mean that the user is connected to
> the server at all times, so you never know when (if!) s?he'll 'log off'
> (i.e. close h{is,er} browser window and so destroy the session cookie
> pointing to the login data). S?he can be idle for hours, even days, and
> then suddenly make another request for a page, including the session cookie
> or URL parameter that qualifys h{im,er} for a logged in user.
>
> What you need is something that guarantees a log-off. I can imagine
> something like this being done with Javascript, with a 'onClose=' and/or
> 'onUnLoad=' in the HTML BODY tag that calls a log-off script. This will
> annoy many users though because closing the window pops up another one (and
> don't tell me you've never seen sites where this is used. Just about every
> pr0n site uses it. ;) You will also need a "Redirect: $TIME,
> $logout_page") HTTP header to log off automatically after idle time. You
> will probably need to take care of several more methods of not logging off.
>
> If you don't guarantee log-off, the second user will be refused until the
> session of the first user expires, which can be days. This is probably not
> what you want. ;)
--
~darcy w. christ
Elegant Communications Inc.
416.362.9772 x222 | 416.362.8324 fax
|
