Allow just one PHPSESSID per user
Question
I've created a webservice, on which users can log in sending an oauth token. As response, this webservice returns a PHPSESSID cookie to keep the user logged in.
However, if you do log in several times, a new ID is generated each time. Examples:
- ts1i3plmdcnmoivai637a27oe1
- bhn1snms8kajmpo8ape5e5ctj3
- d5467idr1ree9dcq6h9cqt9oj2
- en2vbo1r62fqmrriid8l4rkvd3
All those 4 ID's are valid.
Is there any way make this sessid unique per user? So for example, when ID#4 is generated, previous 3 are discarded. Then I could handle a 403 error or whatever.
On the other hand, a second question:
Is it possible to make this PHPSESSID token longer?
1 answers
solution1
1 ACCPTED 2015-02-14 15:02:24
If you want that then it's better to use your own cookies instead of php sessions.
You'll need to generate a random cookie key when someone log in, I'll call that random cookie key as cookie_id.
Then you need to store it in the database with the user_id it's connected to, so you can make a new table in database called sessions, with cookie_id and user_id fields (user_id needs to be unique), or you can extend your user table with cookies_id field.
After saving the cookie_id value with it's related user in db, you'll give that cookie_id to that user through cookies.
You can verify logged-in user with his cookie_id. When logging out cookie_id will be null in db. When another login happen, new cookie_id will be written over the old cookie_id in db. That's it
Also You can set the period of your cookie with the expire parameter: http://php.net/manual/en/function.setcookie.php
For more security you can make cronjobs to delete cookie ids from db after some period of time. (You'll need to store the login date to do so)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.