OK, first let me clarify -
I know sessions should have a logout option, I can set an expiry time and they expire when a browser is closed, but I want to be sure I am catering for the probably unreasonable supposition that a user could be stupid!
How will multiple sessions interact if say -
The user forgets he is logged in and logs in again in a different tab without closing browser
The user shares his PC / Laptop, leaves it logged in and another user, in logs in with different credentials in a new tab
A user logs in twice on 2 different browsers
The local machine has 2 (say) Windows users and a the user is switched while the previous browser is not closed
Basically multiple logins to the PHP /MySQL system with same or different credentials from the same machine.
Again to be clear, I do not want to design for allowing and managing multiple sessions, I just want to avoid them and therefore avoid any problems if it should occur.
The reason I am prompted to ask is that I tried a secure login script I found online and if a user was left logged in and a new user registered on the same machine, then when the new user clicked on the email verification link they were taken to the previous users session and had access to their information - I have cured this by forcing a session_destroy before a new user registers.
Any info, suggestions greatly appreciated, as I say I don’t want a multi session system, but I want to know what conflicts could arise If the situation arises unexpectedly, since any automatic actions PHP takes will either save me time or increase the security risks.
Well, that was poorly designed then by the original owner of that script. Realistically it makes no sense to allow a user to be logged in at the same time be able to see the login screen and the register/sign up page.
If the user is logged in, they are logged in. If I were you, I’d check to make sure if the user session already exists and the user is logged in, redirect the user back to the home page or display a 404 error page. If you look at any website that’s properly made, a logged in user cannot view the login screen nor the sign up page.
If the user isn’t logged in, then you display those pages for them. Conversely the opposite is also true. If the user isn’t logged in, the user shouldn’t be shown anything that a logged in user should be seeing.
OK, sounds logical but what if a new user tries to log in while the old user is still logged in, what would happen to the existing session?
Well that wouldn’t be possible. So say for example the current user is already logged in. Someone else gets on that same computer and same browser, they’ll just be shown the previous user’s session. If they went to the sign up page, it’ll redirect them back to the home page with the previous user’s logged in account. Same with the login screen. If they want to sign up for an account, they’d have to log out of the previous user’s account and then sign up. The sign up page and log in screen both shouldn’t be available to the new user even if they’re using someone else’s computer and browser.
Now if they’re using their own, that’s a whole different story. That would mean the user session was never created whether that’d be their first time on the site or they logged off and didn’t log back in. If they’re still using their own and they’re logged in, that just goes right back to my OP. Don’t display the sign up page and login screen to them.
OK sounds good, sorry to be a pain but supposing they try to log in on same computer, original user still logged in, but new user is using a different browser. Would that be treated as 2 completely different sessions or would there be a conflict?
No pain at all. So yes, that would be completely different sessions then. Each session is created by the browser. If there’s multiple browsers installed, they will have their own sessions. That’s just how it normally works and it’s pretty normal to have a situation like that.
@spaceshiptrooper Awesome, thanks so much. So basically only allow access to login and registration to one user at a time on same machine and same browser. If a user is already logged in, don’t display login or registration or logout existing user.
Yup, except you can allow the user to log off when the user is logged in. This option also shouldn’t be allowed for logged off users. They shouldn’t be able to see or access the log off option. If the operation is its own file, you should make sure the user is logged in first before performing the log off functionality.
AWESOME - put me straight on the right track, thanks so much again