Re: Need to find-out improper sign-out

Gordon Burditt <gordonb.327re@xxxxxxxxxxx> wrote:
Every time a user at proper sign-in, a flag is set & account is locked
until he sign-out by updating in the login-table.At sign-out the flag
is released & his account is ready to log-in again.
Is my logic right?

Why on earth would you need such a thing, besides trying to drive off
users?

I'd even go so far as to say: the last one to log in clearly knows the
password, if another one is currently logged in under the same credentials
I log them out instantly.

I'll agree here: if you *must* insist on one login at a time, kill
the *old* session (which may have just suffered modem disconnectus),
not the *new* one. It also acts to discourage account sharing
(situation: pay site for pr0n or whatever). If you share your
account widely, *all* people trying to use it are likely to get
booted off often. It's harder to implement, though. One thing
that makes it a bit easier is to use a session save handler which
puts session data in a database, thereby making a search for people
logged in under the same account easier.

I don't go as far as to use a custom save handler most of the time. Determining wether a user is logged in is done with the help of a database query though, where session id's and user id's are saved of the current 'active' users, which also gives a nice oppertunity to check the time of last activity etc.

People can get seperate logins a plenty, no
reason to share, and another little security measure to, well, not
prevent, but end a specific session hijack.

Depending on the design of the site, there are plenty of reasons
for the same user to try to pull up two different pages from the
site at the same time (for example, to look at two things you might
want and compare features side-by-side to decide which to buy), and
many times it is necessary made to log in twice to do that.

Normally, no. As long as he's using the same browser, he will have the same session id, and it will still be considered one user serverside, even if the requests hit the server at exactly the same moment (which 'never' happens). If you use different browsers (firefox & MSIE for instance), then they'll get different id's, simply because they don't use each hothers cookies. On any normal site, opening a wide variety of pages with a single login is perfectly possible.
--
Rik Wasmus
.

Relevant Pages

  • Re: Please! Doesnt anyone know a better way to do this?
    ... account, they need to automatically be directed to the page to enter data ... session variable on the Account page. ... I assume here that you're checking a database when the user attempts to ... When a new user attempts to login or clicks to register, ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Need to find-out improper sign-out
    ... until he sign-out by updating in the login-table.At sign-out the flag ... is released & his account is ready to log-in again. ... the *old* session, ... As long as he's using the same browser, ...
    (comp.lang.php)
  • Re: Need to find-out improper sign-out
    ... is released & his account is ready to log-in again. ... the *old* session, ... Browser A searches on "motorcycle". ... server communication breaks off. ...
    (comp.lang.php)
  • Re: Fix: Error connecting to existing session
    ... Was your other account a member of the administrator group? ... Remote Networking Technology Support Site - ... >login session was created from the console or remotely, ... >login under an alternative admin account and kill the initial session ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: [Full-disclosure] Google/Orkut Authentication Issue PoC
    ... and my account can still be hijacked. ... of session in 24 hours + expiry of session on logout + ... expire in 24 hours. ... I am posting a session cookie for my account. ...
    (Full-Disclosure)