-1

i wrote a Website in PHP with user authentification. I used sessions for this. When a user logs in, a flag in a database is set and when he logs out this flag is reseted. This prevents that one user can login multiple times into the Website.

All works fine, but when the user forgets to logout, the session become invalid after a time. When the user now tries to relogin, he will be prevented from login, because the flag is still set.

I need a handler/function that will be invoked, when the session becomes invalid/destroyed. How can i do this?

I know that there is a function called session_set_save_handler but i only need the destroy function. Don't need the other functions and can i access the $_SESSION variables in that function ? Because in this variable the userid is saved, whose flag need to be reseted.

Thanks for help.

cominfotty
  • 441
  • 1
  • 6
  • 10
  • Don't do this. Support multiple simultaneous sessions per-user. People switch devices, browsers, computers, networks, etc. etc. Do you really want to prevent someone from doing that? Nobody else does, and users expect things to work. – Brad Jan 10 '18 at 09:57
  • 3
    There's no real way to do this with PHP. You'll have to set a timestamp in the database and setup a cron to delete the flag after X amount of minutes, which should correspond to the default session timeout set by you. With that said, this is a a bad idea. Users may want to have multiple sessions. – Andrei Jan 10 '18 at 09:58
  • Hi Brad thanks for your reply. I work on a commercial Website, where people can buy an account. This method prevents them from purchasing only one account and distribute that account. – cominfotty Jan 10 '18 at 10:00
  • 1
    You should use better heuristics to tackle that problem. Allow X number of simultaneous logins within a small geographic region, for example. Raise a flag for manual inspection if a user appears to be using the same account from two devices *simultaneously*. Don't hard-limit everyone to a single device; you need to strike a balance between user friendliness and revenue protection, and a single database flag is not the solution. – deceze Jan 10 '18 at 10:04
  • _“I need a handler/function that will be invoked, when the session becomes invalid/destroyed”_ - the problem is, that the session is not actively doing that - become invalid, or destroyed. The session cookie has a certain lifetime, after it will expire. But that does not remove the session data stored on the server - that is the job of the garbage collector. – CBroe Jan 10 '18 at 10:09

1 Answers1

1

Since PHP has no process that can check your sessions in the background you have to use a cron job to check your stale sessions or else a function that is called any time anyone accesses the site that resets all stale sessions. Neither is ideal.

Rather than worry about a cron job why not just check the session at login time? Instead of a simple flag use a DATETIME field that you can check for staleness. Call the field something like "last_accessed" and update it to NOW() any time a user does anything on the system. Then when they go to log in from another browser if "last_accessed" < 10 minutes or whatever timeout interval you decide on, don't allow the login, but if it is past that timeout allow the login and refresh the timestamp.

davidethell
  • 11,708
  • 6
  • 43
  • 63