4

I come from a security background where I was an infosec consultant and tested webapps for vulnerabilities. I've just started working as a webdev and I'm busy with my first project, written with Codeigniter.

I'm trying to solve the problem of multiple concurrent logins, where the user can have two (or more) concurrent sessions that are both valid and active. I have an idea how to do this but I'm not experienced with CI so I want to know if there's a better or more "official" way. It also involves making changes to the DB's ci_sessions table, not sure how CI will handle it.

At the moment I'm using the DB to session data, my plan is to add an additional coloum to the ci_sessions table, one that stores the email address of the user (post authentication). In other words it will be NULL until the user successfully logs in, at which point the email address of the user will be stored in it.

The plan is to confirm the validity of the credentials provided during login and if they're correct search the sessions table for other sessions corresponding to the same email address and delete those. Once other sessions for the user have be removed then the email and session data indicating a valid authenticated session will be set.

Is this the best way to do this?

EDIT: Of course, this won't work when CI creates a new session id for a current session, instead of updating, as CI won't set the email address to the new session. I'd have to make modifications to the source...

Improve this question

3 Answers 3

Reset to default
2

I was looking through the source code for Sessions.php and found this line at the end of sess_update(), which is only called if DB sessions are in use:

$this->CI->db->query($this->CI->db->update_string($this->sess_table_name, array('last_activity' => $this->now, 'session_id' => $new_sessid), array('session_id' => $old_sessid)));

In other words the current session_id is updated with the new session_id, instead of inserting a new entry, leaving all other information (except last_activity) intact. I then decided to try my original plan, I added a user_id column to the table (instead of email) that defaults to NULL. On login I check the credentials and return (amongst others) the user_id of the email address specified. I then delete all sessions that have that specific id in the user_id column and update the line associated with the current session_id to contain the user_id of this user.

I have tested by logging in with Chrome and then with Safari and the Chrome session was killed. I will still need to more testing to ensure there are no loopholes but it looks like this solves my problem.

Many thanks for your suggestions. Samutz, I'm sure you method would have worked, I just found mine had less overhead.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Set in your config file:

$config['sess_match_ip'] = true;

It will match the user's IP address when reading the session data

Refer to http://ellislab.com/codeigniter/user-guide/libraries/sessions.html

Hope it helps!

Improve this answer

1 Comment

Unfortunately this won't help, it's not that CI is letting a user take over another user's session, it's allowing the creation of two separate sessions for the same user and allowing them exist simultaneously. Thanks anyway though!
0

Here's the way I did it on one of my apps:

In your users table create a session_id field. Upon successful user login, generate a new, unique session_id.

(Do not use CI's session_id for this as it can change despite the session being the same depending on your session config. The idea is to have your own id that lasts as long as the session exists.)

Store the new session_id in the user's record and the session data. Upon recurring visits with the active session, check for a matching id in the user's record.

Now when that user logs in from another computer, they will get a new session with a new id and update their id in the user's record. The old computer will be logged out on the next page load as the session id for that computer will not match the session id in their user record.

Although I don't store the session in my database (couldn't get it work, so I use encrypted session cookies), so I don't know how this will work if you are storing sessions in the database.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.