0

i developed a php application where users login and a singleton "controller" instance contains all of the user data like their options, permissions and so on. This controller is stored in session and will be always the same every page they change.

Now, i don't really use the SID so if the same user logs in from another pc, he will be able to have two sessions open at the same time, each one with its own SID and independent controllers.

What's the standard way to manage SID? Should i attach to each user their "active SID" in the database and checking against it every time they change page?

This way if they would log from another session they would have "session expired" error in the first one.

I'm using secure and https PHPSSID, if that matters.

Are there particular vulnerabilities issues i could face with this pattern?

thanks

D3stroyah
  • 31
  • 6
  • On a site I did, I was asked to enforce only 1 login per user. So I had to keep a session table anyway. Just put the user in the session data, if you see the user already have a session, then you know it is his second login. Then you decide. Kick the first one out, ignore new login, ... And put an expiration trigger (I had 30 minutes) to clean up users that do not logoff. – Nic3500 Sep 04 '18 at 11:50
  • so "usually" you should not check against sid? – D3stroyah Sep 04 '18 at 12:22
  • Well that is what I did, it is not the only solution. But to know if the user is already connected, you need to compare with something. From your question, I assumed that the SID was different from one session to the other? Hence my use of the username in the session data. Any information that uniquely identifies a user is fine, depends on your site. – Nic3500 Sep 04 '18 at 12:25

0 Answers0