开发者

How to manage PHP sessions across browsers

开发者 https://www.devze.com 2023-01-14 00:26 出处:网络
I have the run-of-the-mill login-based PHPSESSID mechanism imple开发者_StackOverflow中文版mented for my web app.One aspect that bothers me is the simple scenario where a user orphans his session in br

I have the run-of-the-mill login-based PHPSESSID mechanism imple开发者_StackOverflow中文版mented for my web app. One aspect that bothers me is the simple scenario where a user orphans his session in browser A (on computer A), opens another in browser B (on computer B), orphans this to walk back to browser A and so forth. Possibly all this within the (reasonably lengthy) time span for which the PHPSESSID cookies are valid. If both sessions display the user static data, and the user is manipulating this, then the two browsers will not necessarily show data that is consistent with what's in the database.

My preferred response to this scenario is for the second login two invalidate the first. I can keep one PHPSESSID associated with the userID in the database. That's easy enough. Now the hard part: on the second login, how can I invalidate the PHPSESSID that's written into the database such that a subsequent access from the first sessions (with the now invalidated PHPSESSID) will fail?

(I cannot use session_destroy() because that wants to kill the second PHPSESSID, the one I actually want to keep. And I cannot use setCookie() for exactly the same reason.)

One idea I had involves a database access sequence number. Each new request returns the previous plus one. If out of sequence, session_destroy() the current enquirer. Slight inconvenience I see with this is that it requires an extra database fetch to recover the sequence number before each user access.

Is there any way of associating this sequence number with a userID somewhere inside the server's cache that doesn't involve any cookie transmissions?

Thanks.


I don't understand your question completely, but this is how I should do it.

If you store your session data (including SESSION_ID) in the database and you add a user_id to that table, you can delete all session_data of that user before adding the new session initiated on PC B (by that user) to the database. When the user tries to reload his/her session on PC A, the combination of his/her user_id and session_id is not present and you should log him/her out.


I see no problem in this.
On the second login you just write this second login session id in the database.
That makes previous one invalid.

0

精彩评论

暂无评论...
验证码 换一张
取 消