0

I'm implementing session management and am currently storing 4 types of info in the db:

  1. user_id
  2. session_id (hash)
  3. insertion_time (for timeouts)
  4. persistency (if user has a persistent cookie)

It is possible for the user to have multiple sessions open with different devices. If the user logs out, how do I know which of those sessions I should delete?

What unique information is usually stored along with the info I've already got? IP address does not really work as it could be shared. Should I store the browser info, but what if it is the same?

Raidri
  • 17,258
  • 9
  • 62
  • 65
Frank Vilea
  • 8,323
  • 20
  • 65
  • 86

2 Answers2

2

You should only use a single session id/hash to recognise a session.

When a user logs in (e.g. with username/password) you will tell them what their session id/hash is.

When a user is browsing, they will tell you their session id/hash for every page load. That's how you know it's an existing logged in user, and not some random new user.

When a user tries to loggout, they will still tell you their session id/hash. You can use that to find and delete the correct single session.

Jeremy Lawson
  • 483
  • 3
  • 12
0

You have to store Last access time Last Modify Time of the Session to calculate the Idle time for Session Timeout.

To Identify the User Session you have to store the browser Id. Browser Id and User Id mapping will lead you to figure it out which session of the User you have to delete.

IKavanagh
  • 6,089
  • 11
  • 42
  • 47
Rajesh Kanna
  • 61
  • 3