session handling

--0-1069731957-1209395086=:71186
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

hi all,

i'm a newbie and i really would like to be able to understand how session works.

for the scenario, i have customers with two users login to manage their records (like adding their own customers). e.g. customer A has a username customera1 and customera2, customer B has customerb1 and customerb2.

when user logins, i add on the session accountcode $_SESSION['accountcode'] (which is the unique identifier for each customer). here are some of the questions i have:

1. how can i make sure each user can login only one time?
2. if customera1 and customera2 are logged in at the same time and they are going to access the same data, how can i lock it to whoever had access to it first?
3. if a session expires, is there a way to automatically logout that user and destroy the session?
4. if both a user in customer A and B are logged in, then user A logouts and i have a script that call session_destroy(), will that also destroy the session of customer B?

hope someone can help me.

regards,
nhadie



---------------------------------
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.
--0-1069731957-1209395086=:71186--

Re: session handling

Hi nhadie,

1. Unlike, ASP or ASP.NET, PHP only has a Session object, not an Applicat=
ion
object. A session is only available to one single user only, and you can'=
t
share information between Sessions using PHP (you'd use the Application o=
bject
for this in ASP(.NET)). While you can probably hack your way into the
Session-files that PHP stores somewhere on the hard disk, that's obviouls=
y not
their intended you (but I want to mention this for the sake of being
complete).
What you can do is add a Boolean-field to your user-table in the database=
that
says whether somebody is currently logged in. If the field is true, they =
can't
log in a second time. The problem with this approach however is that it
depends on the use actually logging out as well (thus calling a script th=
at
sets the field back to false).
So here's a better solution: =

Create a separate table and call it something like "Sessions". It should
contain at least three fields: AccountCode, LoginTime and LastActivityTim=
e.
When somebody first logs in, you create a record in this "Sessions" table=

Everytime he pulls up a new page, you update the LastActivityTime field w=
ith
the current date/time in the database.
When somebody tries to log in a second time, you can deny them access bas=
ed on
the record that exists in the "Sessions" table.
Here's how it works when somebody "forgets" to log out: each time you acc=
ess
the Sessions table, you should run a second query that automatically dele=
tes
all the sessions that haven't been updated for the last 30 minutes (the n=
umber
should be the same to the timeout value for the $_SESSION[] object). So e=
ach
time a user performs an action, you automatically remove all the sessions=
of
all users that have been inactive for 30 minutes or more.

2. This is trickier. What do you mean with "access"? Are you talking abou=
t
lost updates? Are you talking about simple read-operations? Actually, eve=
n as
you claim you're a newbie, you're asking questions that are keeping us al=
l up
at night! :-) The solutions vary depending on your situation. Maybe you c=
an
add field "ActiveTable" to the above-mentioned "Sessions" table and take =
it
from there?

3. I think I've covered this under [1].

4. No, it won't. Each user has his/her own $_SESSION[] object

HTH,

Yves

------ Original Message ------
Received: Mon, 28 Apr 2008 10:06:19 AM CDT
From: Nhadie Ramos
To: php-db@lists.php.net
Subject: [PHP-DB] session handling

hi all,

i'm a newbie and i really would like to be able to understand how session=

works.

for the scenario, i have customers with two users login to manage their
records (like adding their own customers). e.g. customer A has a username=

customera1 and customera2, customer B has customerb1 and customerb2.

when user logins, i add on the session accountcode $_SESSION['accountcode=
'] =

(which is the unique identifier for each customer). here are some of the
questions i have:

1. how can i make sure each user can login only one time?
2. if customera1 and customera2 are logged in at the same time and they =
are
going to access the same data, how can i lock it to whoever had access to=
it
first?
3. if a session expires, is there a way to automatically logout that user=
and
destroy the session?
4. if both a user in customer A and B are logged in, then user A logouts =
and i
have a script that call session_destroy(), will that also destroy the ses=
sion
of customer B?

hope someone can help me.

regards,
nhadie


=

---------------------------------
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try i=
t
now.




--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: session handling

>> 2. This is trickier. What do you mean with "access"? Are you talking a=
bout
>> lost updates? Are you talking about simple read-operations? Actually, =
even
as
>> you claim you're a newbie, you're asking questions that are keeping us=
all
up
>> at night! :-) The solutions vary depending on your situation. Maybe yo=
u
can
>> add field "ActiveTable" to the above-mentioned "Sessions" table and ta=
ke
it
>> from there?

>it's more for editing records, when user customera1 opened a record to e=
dit
it, and almost at the same time user customera2 tried >to edit the same
record, customera2 will get an error message that the record is already o=
pen.

Well, like I said: the "lost update" problem is well known in database
circles. Basically, when two users want to do the same thing at the same =
time,
one of them WILL loose out. The only question is how you handle the situa=
tion.
Please read e.g. http://forums.mysql.com/read.php?97,56420,56420 to give =
you
some more ideas on how to handle this. Google for "database lost update" =
for
more general information and strategies. Before you come up with too adva=
nced
features to solve this problem, you may also want to ask yourself the cha=
nce
of this problem occuring in your specific application? While I've worked =
on
many systems, I've never had a situation arise where this was an effectiv=
e
issue. But there definitely are circumstances where it may!

>> 4. No, it won't. Each user has his/her own $_SESSION[] object

>does that mean when user customera1 logs in, i passed $_SESSION[accountc=
ode].
then user customera2 logs in also and i passed >$_SESSION[accountcode] ag=
ain,
so now $_SESSION[accountcode] is the same for both user, if customera1 lo=
gs
out, i call >session_destroy, it wont destroy the session for user
customera2?

When customera1 logs in, a $_SESSION[] object is created for his/her eyes=

only. You can then e.g. say $_SESSION["code"] =3D getaccountcode(). When
customera2 logs in in turn, a second $_SESSION[] object is created that o=
nly
applies to that user. You can see the progress of these sessions popping =
in
and out of existence by monitoring the files in the c:\php\sessions\ fold=
er.
Since customera1 has no access to the $_SESSION of customera2, there's ri=
sk in
accidentally removing another user's session.

HTH,


Yves



--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: session handling

1. Logging in only once is easy. Make the login page only appear if
isset($_SESSION['accountcode'])
Else, have it display a page saying you are already logged in.

2. SSL

3. If a session expires the user logs out and the session is destroyed.
That's why it's called expiration.

4. session_destroy() only destroys the session with the PHPSESSID that
matches the cookie on the users system. In other words: no, unless both
users run session_destroy.

You're obviously new to this stuff. PHP was made for ease of use in mind,
so most of your concerns are already addressed. It would be extremely
difficult to use a session if any user logging out would log every other
user out.

Hope this helps, Aaron.
-----Original Message-----
From: Nhadie Ramos [mailto:nhadie.ramos@yahoo.com]
Sent: Monday, April 28, 2008 10:05 AM
To: php-db@lists.php.net
Subject: [PHP-DB] session handling

hi all,

i'm a newbie and i really would like to be able to understand how session
works.

for the scenario, i have customers with two users login to manage their
records (like adding their own customers). e.g. customer A has a username
customera1 and customera2, customer B has customerb1 and customerb2.

when user logins, i add on the session accountcode $_SESSION['accountcode']
(which is the unique identifier for each customer). here are some of the
questions i have:

1. how can i make sure each user can login only one time?
2. if customera1 and customera2 are logged in at the same time and they are
going to access the same data, how can i lock it to whoever had access to it
first?
3. if a session expires, is there a way to automatically logout that user
and destroy the session?
4. if both a user in customer A and B are logged in, then user A logouts and
i have a script that call session_destroy(), will that also destroy the
session of customer B?

hope someone can help me.

regards,
nhadie



---------------------------------
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it
now.


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php