Closed TebongA closed 3 years ago
Is someone else logging in using the same credentials, from a different computer?
Yes. I am expecting a few of my users to logged in to at least 2 or 3 computers using the same credential at the same time.
it's probably something that doesn't have to do with the library but with the way you store your "authenticated" state. you are likely using the hashed username / email address in the session and hence when somebody else is logging in with the same username / email address it will overwrite the first user's session
try adding other values to the hash like IP (if that is possible) or user agent
Thanks for the reply. When I added a time stamp it will not work. Did I missed anything at all?
-- $date_time_stamp = time();
return $this->query('
INSERT INTO
' . $this->table_name . '
(
session_id,
hash,
session_data,
session_expire
)
VALUES (?, ?, ?, ?)
ON DUPLICATE KEY UPDATE
session_data = VALUES(session_data),
session_expire = VALUES(session_expire)
',
$session_id,
md5(
($this->lock_to_user_agent && isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : '') .
($this->lock_to_ip && isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '') .
$this->security_code . $date_time_stamp
),
$session_data,
time() + $this->session_lifetime
) !== false;
wait, you are not supposed to write anything, ever, to the session table - that's an "internal" table, used by the library...
you have your own users
table where you have, among all other data that you keep about your users, a session_id
column. when that column is populated it means that the user is logged in.
when a user logs in, after you verify the email and the password on the users
table, you update that user's session_id
column with the value of session_id()
on all requests you check if the there's an entry in the users
table where the value in the session_id
column equals the value of `session_id()' - and that's the user that's currently logged in. if you get nothing, it means the users is not logged in
i think you are confused about what this library is for - it is not about authentication at all. it simply replaces the way PHP handles session data so that instead of it being stored in files on the server, it is stored in a MySQL database.
but you don't change anything at all in the way you use PHP session functions or the $_SESSION
superglobal. you don't interact with it at all. you use PHP as you did before, it's just that in the background the session data is stored in a different place
Hi Just curious what I did wrong. For some reason it keeps longing out users before the official session expires. not sure what I did wrong.
Any idea what could have caused it?