i am really confused about sessions in php i doing website this is my first project and i am stuck a user logging system i cant understand how php session work are these session id unique to each user or are these unique to each browser
here is my problem
when i login in using username and password for user1 i start a new session and a unique session id is created lets say phpssesid XXXXXXXXXXXXXXXX so when i logout from user1 i destroy session and session id XXXXXXXXXXXXXXXX generated during login for user1 is deleted from temp folder
next i login using user2 and password a new session is again created but i get same session id i.e XXXXXXXXXXXXXXXX which was generated during first login i dont understand how come to users are assigned same session id to two different users
all this while i was using google chrome to browse
but then i used firefox to login using user1 and password but this time a new session id is created i.e XXXXXXXXXXXXXXX1 den i logout and again login using user2 and again session id assigned to user2 is same XXXXXXXXXXXXXXX1
i dont understand all this if sesssion id is unique to each user then why is same session id is assigned to two different users on same browser
Can't say much for PHP specifically, but HTTP by itself is stateless - i.e. if you make the same request, you (should) get the same response. What PHP and many other languages do is use session IDs - sometimes stored in cookies, sometimes stored in the URL.
Long story short, your Session ID should be unique to each user for each browser. For example, if Alice logs in on her home computer, then logs in on her work computer, the session IDs should be different. If Alice then logs out of her home computer and Bob logs in (same computer, same browser as Alice's first login) he should still get a different session ID - it's all done so that your framework (ie. PHP) can track 'sessions' of website use.
In your case, duplicate session IDs might be due to lingering cookies, server problems, or PHP might be legitimately reusing one ID (maybe for performance reasons). If you haven't modified much of the session code, chances are it's either the cookie issues with the browser or ID reuse.
Related
I have a website where users can create an account and log in. This is stored in a database on the server. I also want users to be able to log in with Facebook etc, and thus skip the account creation. I don't know how to combine this and keep it persistent in the database. Any good examples on this use case?
Let's first see how logins work in general. When a user is logging in for the first time, a session id is generated for the user and is stored in the browser of the user as a cookie (note that there are mechanisms to store session id without a cookie, but let's assume you require a cookie for simplicity).
For subsequent requests to other pages in the same website, the cookie is also sent along. With this cookie (which has the session id), the unique user can be identified.
So, all that you require to know to identify a user in the server side (upon a web request) is the session id.
Having said that, if you want to include facebook etc into the login mechanisms, you need to do two things:
Connect your website with facebook (you will require a facebook developer account and some keys. Look here). When you do this successfully, if the user selects facebook login, your website should redirect to facebook login page and once the user logs in into facebook account, facebook will redirect back to your website with a token. This token is an indication that the user is a 'real' user. If required, you can use the token to get more details (such as facebook id, email address, name, etc.) from APIs facebook.
The second step is the same for any authentication flow. You need to generate a session id for use by your server and then save the session id in cookie.
What I have specified is the general flow on how your requirement could be achieved. The mechanics of how to do this will depend on the server side technology that you are adopting (such as ASP.NET, Ruby, etc.)
Additionally, if your website requires storing information about the user behavior / user activity, you may need to additionally check if the user logged in via FB already exists in your database. If not present, you can store the user's facebook id or something to uniquely identify the user later. With this as the primary key / user id, you can store user activity (such as inserting a record in orders table if the user purchases a product).
In a ASP.NET MVC application, is it possible to log someone out, if the login credentials is used on another web client?
For e.g.,
1) user login from PC A, with user id admin
2) another user logs in with user id admin from PC B
3) PC A gets signed out
I would look at setting a token on the client cookie. This token can be checked for subsequent calls and if it doesn't match then kick the user off.
So, in terms of a use case...
Create a table - LoggedInUsers that has, say, the UserID, Token
When user logs in on browser A you can check against the LoggedInUsers table to see if they are currently logged in and have a matching token. If they don't exist, then create a token and store it in their cookie and add the entry to the table. If they are in the table and do have a matching token then they are the same browser. If they are in the DB but the token doesn't match then you choose whether you want the new user to have their token overwrite the existing one or prevent logging in.
now ever page call should check the LoggedInUsers table so you can log the user out if they are logged in via another browser.
Hope that makes sense...
I am using ActiveDirectoryMembershipProvider in my web app. I authenticate users with their domain credentials like so
if (Membership.ValidateUser(m.Username, m.Password))
FormsAuthentication.SetAuthCookie(m.Username, true);
This works well.
But even when the user's password is changed in active directory, the user stays logged in to the web app?
How can I ensure the user does not stay logged in to the web app if their domain password changes, or their account is disabled etc?
The answer is to periodically (every 30 minutes or so) check User.IsApproved and User.LastPasswordChangedDate to make sure the users credentials are still valid.
To do this you need to manually create the FormsAuthenticationTicket and cookie, rather than using FormsAuthentication.SetAuthCookie.
Put the date you validated the user inside UserData and compare this against LastPasswordChangedDate.
I've implemented this and it works perfectly.
More information here
Check if Active Directory password is different from cookie
I'm not 100% certain, but it sounds like you're unhappy that the user's auth ticket continues to work even though their password changes / account expires.
Once a user has logged in and has a authentication ticket (cookie), the user is not challenged for authentication again until until the ticket expires (set in the web.config file). Here are 2 suggestions for dealing with this problem:
Wait for the auth ticket (cookie) to expire. Upon the next login, the user will
be required to use their new password. Variations of this solution include using session-only cookies so that the user must always login when the browser is closed (recommended for AD authentication).
Write an Http Module that looks for a list of recently updated users and inspects the auth ticket early in the HTTP pipeline. If an auth ticket comes through and matches the list of updated users, you exprire the user's cookie and re-direct them to the login page. Here's a similar question that would help get you started:
How can I force a logout of all users on a web site
We have ASP.NET MVC 3 application which is integrated with Google Checkout API. Is there a way to access Session or Cookie of the Site on Google Checkout CallBack?
Suppose, I have logged into my site with UserID: ramiz and Password: r#miz. After I provided my credentials on Login it collects more details about me and put them in session (like, First and Last Name). Once I get in, I see a list of (used) iPhone. There, I see a cheap deal offering iPhone 3G only $150. There is a button of "Buy Now" in front of that deal. I click on this it ask me some more data and finally take me to the Google Checkout to do the transaction and place the order. I did and it shows me a "Thanks" message which means the transaction is completed successfully.
When we checkout Google calls our defined CallBack URL where we can collect the Nofitication XML which has Order Details. We are getting that Notification XML and happy to see all details is in there which we required. Here, we need to access the user Session or Cookie to get his First/Last Name and UserID. We have tried to access the Session/Cookie but it seems fail.
How do we have access Session or Cookie here? Or is there any good way of doing this?
Thanks.
Cookies (including session cookies) can only be accessed if the client (browser) actually goes back to your web site (if they do).
You can look into storing the data in:
merchant-private-data (order level)
merchant-private-item-data (item level)
instead of cookies. These will be echoed back to your handler in new-order-notification.
I'm trying to implement a "Remember Me" login functionality for an ASP.NET MVC site I'm building. I'm trying to use this approach http://jaspan.com/improved_persistent_login_cookie_best_practice (see 'Miller's Design' near top) and have it working to a degree.
Thus the work-flow is:
User logs in and is issued a cryptographically secure random string + their database ID as a persistent cookie (lasting about 30 days). Secure string is stored in the database next to their user account record.
User later comes back to site where browser presents the login cookie, the ID and secure key is looked up in the database and if match is found, the user is automatically authenticated.
Once authenticated a new secure key is generated, stored in the database and new cookie issued.
I have this working fine, however, it doesn't work very well if the user logs in from multiple browsers or computers. Obviously different browsers will end up with a different secure key stored as a cookie, thus the work-flow becomes:
User logs in from browser A, is issued a secure key as cookie, key is stored in database.
User logs in from browser B, is issued a different secure key as cookie. Key is also stored in database, but overwrites the key generated from browser A.
User visits site from browser A again, browser presents cookie issued from step 1. but it no longer matches because secure key was replaced in step 2. so user has to log in again. Another new key is generated and overwrites the key issued to browser B.
Users visits from browser B again, key doesn't match, has to log in again etc. etc.
How do I solve this? Do I need to store and maintain multiple keys in the database? Am I even going about this the right way? I've noticed StackOverflow seems to manage this and remembers me from different browsers and computers.
From reading the article you linked, it seems to me like Miller's design is to store the random string and the username as a pair in a different table than the user-table. By using the random string as the index, you can have multiple simultaneous logins from the same user-name while still being reasonably well-protected from session hijacking.
Your description indicate that you store the random string inside the user-table, which would only allow one login at the time.
You need a third item in your cookie, a 'series' token. This will represent a login event. Everytime the user logs into your system, it creates a new series, that doesn't change until they logout, or login again. You still have your token, ie Secured Key, that is updating on every request.
Here's some links to help with this implementation:
Database problems when allowing multiple browser persistent log ins
The definitive guide to form-based website authentication