stefangabos
commented
3 years ago Is someone else logging in using the same credentials, from a different computer?
Closed TebongA closed 3 years ago
stefangabos
commented
3 years ago Is someone else logging in using the same credentials, from a different computer?
TebongA
commented
3 years ago Yes. I am expecting a few of my users to logged in to at least 2 or 3 computers using the same credential at the same time.
stefangabos
commented
3 years ago it's probably something that doesn't have to do with the library but with the way you store your "authenticated" state. you are likely using the hashed username / email address in the session and hence when somebody else is logging in with the same username / email address it will overwrite the first user's session
try adding other values to the hash like IP (if that is possible) or user agent
TebongA
commented
3 years ago Thanks for the reply. When I added a time stamp it will not work. Did I missed anything at all?
-- $date_time_stamp = time();
return $this->query('
INSERT INTO
' . $this->table_name . '
(
session_id,
hash,
session_data,
session_expire
)
VALUES (?, ?, ?, ?)
ON DUPLICATE KEY UPDATE
session_data = VALUES(session_data),
session_expire = VALUES(session_expire)
',
$session_id,
md5(
($this->lock_to_user_agent && isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : '') .
($this->lock_to_ip && isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '') .
$this->security_code . $date_time_stamp
),
$session_data,
time() + $this->session_lifetime
) !== false;wait, you are not supposed to write anything, ever, to the session table - that's an "internal" table, used by the library...
you have your own users table where you have, among all other data that you keep about your users, a session_id column. when that column is populated it means that the user is logged in.
when a user logs in, after you verify the email and the password on the users table, you update that user's session_id column with the value of session_id()
on all requests you check if the there's an entry in the users table where the value in the session_id column equals the value of `session_id()' - and that's the user that's currently logged in. if you get nothing, it means the users is not logged in
stefangabos
commented
3 years ago i think you are confused about what this library is for - it is not about authentication at all. it simply replaces the way PHP handles session data so that instead of it being stored in files on the server, it is stored in a MySQL database.
but you don't change anything at all in the way you use PHP session functions or the $_SESSION superglobal. you don't interact with it at all. you use PHP as you did before, it's just that in the background the session data is stored in a different place
Hi Just curious what I did wrong. For some reason it keeps longing out users before the official session expires. not sure what I did wrong.
Any idea what could have caused it?