Ask Question Forum:
Model Library:2025-02-08:A.I. model is online auto reply
C
O
M
P
U
T
E
R
2
8
Show
#
ASK
RECENT
←
- Underline
- Bold
- Italic
- Indent
- Step
- Bullet
- Quote
- Cut
- Copy
- Paste
- Table
- Spelling
- Find & Replace
- Undo
- Redo
- Link
- Attach
- Clear
- Code
Below area will not be traslated by Google,you can input code or other languages
Hint:If find spelling error, You need to correct it,1 by 1 or ignore it (code area won't be checked).
X-position of the mouse cursor
Y-position of the mouse cursor
Y-position of the mouse cursor
Testcursor
caretPos
Attachment:===
Asked by duncanb7
at 2024-05-08 05:33:41
Point:500 Replies:6 POST_ID:828553USER_ID:11059
Topic:
PHP Scripting Language;JavaScript;Hypertext Markup Language (HTML)
Recenly I have finished example of login-form for my server website from the
tutorial lnk at http://phpsense.com/2006/php-login-script/
Now just want to know how to prevent two users use same unique login and passwd on
two different computers in php and javascript login-form to login successfuly
on my website ?
I am thinking before a way to do that , for example, when user login successfull the form, the mysql database will record the user's status such as active and when the user kill the
login IE/Firefox browser or window computer reset, there is script can delete the user
status ot be logout. But I don't know how to do it in program
Any idea if you experience this issue before or I neeed to concentrate on session and cookies application for the issue ?
please advise
DUncan
tutorial lnk at http://phpsense.com/2006/php-login-script/
Now just want to know how to prevent two users use same unique login and passwd on
two different computers in php and javascript login-form to login successfuly
on my website ?
I am thinking before a way to do that , for example, when user login successfull the form, the mysql database will record the user's status such as active and when the user kill the
login IE/Firefox browser or window computer reset, there is script can delete the user
status ot be logout. But I don't know how to do it in program
Any idea if you experience this issue before or I neeed to concentrate on session and cookies application for the issue ?
please advise
DUncan
Expert: Ray Paseur replied at 2024-05-13 10:27:31
You don't have to do any of that. If the client closes the browser, the client loses the cookie that connects to the PHP session. Without the cookie, the session data in /tmp is abandoned. Every time PHP executes session_start() it looks for /tmp session data that is more than 24 minutes old (since last use) and removes it. It's all automatic and built-in. You can learn all about sessions here.
http://us.php.net/manual/en/book.session.php
And as the fine manual tells us, if you're interested in session security, just put the site behind SSL!
http://us.php.net/manual/en/book.session.php
And as the fine manual tells us, if you're interested in session security, just put the site behind SSL!
Author: duncanb7 replied at 2024-05-13 10:18:40
Actually, just brainstorming ,we can use php script on server side to check SESSION ID saving
on /tmp directory and record all user information such login time and
remote address and user name saving in one file and check whether
there is two different remote address and session using the same login name within certain period and delete the older sessions which may more than 2 or 3 or 4.
ANd putting checking in cronjob for every half hour in a day.
Duncan
on /tmp directory and record all user information such login time and
remote address and user name saving in one file and check whether
there is two different remote address and session using the same login name within certain period and delete the older sessions which may more than 2 or 3 or 4.
ANd putting checking in cronjob for every half hour in a day.
Duncan
Accepted Solution
Expert: Ray Paseur replied at 2024-05-11 04:02:07
125 points GOOD
@DaveBaldwin: Of course! That's the way HTTP is supposed to work - atomic and stateless, client-server.
The problem here is the concept of a user who is "logged in." There is no such thing. There are only requests and responses. If our author just uses the session handler and never puts his own cookies on the client browser, the client will automatically be "logged out" after about 24 minutes of inactivity, or when the browser closes, whichever comes first.
But the whole idea of locking a client out because the last request came from a different device, however you might define "device," is a terrible idea and is to be avoided.
The problem here is the concept of a user who is "logged in." There is no such thing. There are only requests and responses. If our author just uses the session handler and never puts his own cookies on the client browser, the client will automatically be "logged out" after about 24 minutes of inactivity, or when the browser closes, whichever comes first.
But the whole idea of locking a client out because the last request came from a different device, however you might define "device," is a terrible idea and is to be avoided.
Assisted Solution
Expert: Dave Baldwin replied at 2024-05-11 01:12:33
125 points GOOD
I have logged in to Experts Exchange a number of times from more than one computer. I also have more than one IP address and there wasn't any problem.
Assisted Solution
Expert: Ray Paseur replied at 2024-05-08 07:17:36
125 points GOOD
I think we talked about this in another question. The design you've suggested here is technically incompetent and is almost certain to drive your clients away. Nobody does this, and you should not even try. Instead design your application with the idea in mind that the same client can appear from different IP addresses and different devices at any time.
I have made actual tests to demonstrate that I can have two PayPal sessions on two different machines at the same time, transact money, and both of the sessions work correctly, connecting me to the data bases and sending or receiving funds. If PayPal works this way, your application should work this way, too.
What does the lockout accomplish? Well, if a client went from using his iPad to using his iPhone for a payment, and then tried to continue using your site on the iPhone, your site would reject his attempt to login? To me that is a WTF design that misunderstands the nature of HTTP requests and the client-server protocol. Not to mention human nature and the rapidly changing nature of the web-sphere.
If you have queries that cannot be intermixed between requests, the usual way to handle these is to create transactions or simply LOCK TABLES for the duration of the query set. I've used that and it works. But it is very different from denying a client access to the site for some arbitrary length of time. That's like multiple inheritance. Just don't do it.
I have made actual tests to demonstrate that I can have two PayPal sessions on two different machines at the same time, transact money, and both of the sessions work correctly, connecting me to the data bases and sending or receiving funds. If PayPal works this way, your application should work this way, too.
What does the lockout accomplish? Well, if a client went from using his iPad to using his iPhone for a payment, and then tried to continue using your site on the iPhone, your site would reject his attempt to login? To me that is a WTF design that misunderstands the nature of HTTP requests and the client-server protocol. Not to mention human nature and the rapidly changing nature of the web-sphere.
If you have queries that cannot be intermixed between requests, the usual way to handle these is to create transactions or simply LOCK TABLES for the duration of the query set. I've used that and it works. But it is very different from denying a client access to the site for some arbitrary length of time. That's like multiple inheritance. Just don't do it.
Assisted Solution
Expert: bportlock replied at 2024-05-08 07:00:04
125 points GOOD
Because of the way HTTP works, you cannot know when a user has left your websit unless you have a 'Logout' button to press. Even then they might just stop using the website and not press the button.
One way to do what you want is to record the time of the last activity for a user profile in the database and say that no activity for (say) 15 minutes is a logout.
You would need a field in the record for each user called (say) activityTime and it could store the date and time of the last activity. So on every page you have a small script that interrogates the session where the username would be stored in the event of a successful login. It then runs an update
** UNTESTED CODE **
mysql_query("UPDATE userTable SET activityTime=NOW() WHERE username='{$_SESSION['username'}' ");
In the login process you can then check to see if the user had any activity in the last 15 minutes and disallow the login if this is the case
$rs = mysql_query("SELECT * FROM userTable WHERE username='$user' AND activityTime > DATE_SUB( NOW(), INTERVAL 15 MINUTE ) ");
if ( mysql_num_rows($rs) > 0 )
die("Sorry - already logged in");
else {
$_SESSION ['username'] = $user;
... etc
One way to do what you want is to record the time of the last activity for a user profile in the database and say that no activity for (say) 15 minutes is a logout.
You would need a field in the record for each user called (say) activityTime and it could store the date and time of the last activity. So on every page you have a small script that interrogates the session where the username would be stored in the event of a successful login. It then runs an update
** UNTESTED CODE **
mysql_query("UPDATE userTable SET activityTime=NOW() WHERE username='{$_SESSION['username'}' ");
In the login process you can then check to see if the user had any activity in the last 15 minutes and disallow the login if this is the case
$rs = mysql_query("SELECT * FROM userTable WHERE username='$user' AND activityTime > DATE_SUB( NOW(), INTERVAL 15 MINUTE ) ");
if ( mysql_num_rows($rs) > 0 )
die("Sorry - already logged in");
else {
$_SESSION ['username'] = $user;
... etc