All geek questions in one place

Determine if session_id (some-id) exists

Possible duplicate:
Detect if a PHP session exists

The PHP manual does not seem to be able to check if a given session_id exists. For example, session_id() has an optional id parameter, but replaces the existing id , and does not search for the desired method: session_id_exists(some-id)

Why do I need to check if a given session_id exists? Use case is a sports subscription service in which password sharing has become a problem. When I log in, I save the user session identifier in the database and use this to compare with any other existing session identifier attached to this userID .

To implement, I need to check if the established session identifiers exist in the current session (proof of password sharing, which includes one user at a time).

I guess there is an easy way to achieve this ...

+4
source share
4 answers

First of all, it was a good study of ways to prevent password sharing.

My reaction to tracking user activity based on a query (i.e. the two-query solution proposed by @DaveRandom) was ahhhhh, no! As @CodeCaster notes, a likely case of premature optimization, but hey, we have a small (several thousand) but crazy user base that will be very happy with the start of the hockey season and the results of the game. ran for many years, do not want to rock the boat, this is a paid service, so the performance should be excellent.

OK solution:

The apache user has read / write access to the session files in the session directory. By writing down session_id during login, we have components to block shared password accounts. Upon successful login:

 - Loop through stored session ids related to target account - if /path/to/session-id-file not empty, increment login counter - if login counter exceeds number of users allowed for a given plan: - delete all session files related to target account - lock the account and force a password reset

There is minimal overhead, the implementation is cake, the problem is solved.

Note. Initially, I thought it was impossible to access session directory files without creating a security loop; however, this is not the case (at least in my CentOS 5 setup warehouse). You cannot get a session_id that is not related to the current user session, but you can save this user session identifier and access the session file that stores their session from any user session (including blowing the file). The key has a session identifier to search for the corresponding / path / to / session file

0
source

How about you doing something like this at the top of index.php

 // Update current userid/session record with current timestamp mysql_query("UPDATE sessions SET last_activity = CURRENT_TIMESTAMP() WHERE user = '$username' AND sid = '".session_id()."'"); // Search for multiple records with timestamp in the last 20 minutes where user id is the same $result = mysql_fetch_assoc(mysql_query("SELECT COUNT(*) AS current_sessions FROM sessions WHERE user = '$username' AND last_activity > '".date('Ymd H:i:s', time() - 1200)."'")); if ($result['current_sessions'] > 1) { // handle duplicates here }

You may not like this approach, because it includes two database queries at each page load, but it should work and will probably be more efficient than checking session files.

+3
source

Following the comment by CodeCaster:

Instead of checking the identifiers of the PHP session, you should, for each connection / disconnection of the connection and the end of the session, maintain a list of currently connected users (along with the connection time, IP, etc.), for example, in the DB table.

This way you can discover multiple connections with the same account.

You can also try creating a small script loop for all session files (if you use the default repository), use "unserialize ()" on it and check if multiple session files have the same user IDs (provided that you store them in $_SESSION )

EDIT : since this should be done for each user connection, the DB table approach (for example, what CodeCaster offers) looks better.

0
source

You must create your own session state implementation that offers an interface for the actions needed for your use case.

 class SessionState { public function idExists($id) { $gateway = new SessionGateway(); $result = $gateways->searchById($id); # ... } }

If you have embedded the details, you can simply use the objects in your application.

0
source

Source: https://habr.com/ru/post/1381673/

More articles:


All Articles