Newgrounds.com — Everything, By Everyone.

At 4/27/13 08:41 AM, Diki wrote: Perhaps I am misunderstanding the problem but why can't you just store when the user was last active and if it is within a certain range consider the user to be invalid?

Because if you log back in before the time has expired you'll still get the aforementioned problem?

I guess you could always store a timestamp in a cookie of when the user visits the page, and save this with the users session on the server. If the cookie and the data on the server match, then valid and they can chat away. If the user has logged in again then their cookie and the data on the server wouldn't match the earlier session, and only the newer one would be valid.

At 4/27/13 06:34 PM, Diki wrote: Cookies can be easily edited so any user could modify the cookie to circumvent the prevention of multiple logins.

I think a way of avoiding these types of problems with cookies is generating a random key (per session) which gets stored in the cookie. All other session-related information would then be server-side. (aka in the session)

This solves the problem of the user being able to tweak their cookies in any way. Leaving only the problem of a user copying a cookie from another machine and using it to fake an identity.

This remaining risk can be further mitigated by forming a primary-ish key via the user's resolution/browser/OS/ISP-node/IP/computer-name/etc. These are all things that change rarely enough (even the conjunction of all of them is reasonably rarely changed) that the user won't be bothered to log in again with more than reasonable frequency.

But it can never be completely intact. Which is why persistently logged in web applications, though convenient, will ALWAYS be inherently insecure. Notice that banks don't have that feature.

At 4/27/13 07:09 AM, Mohabot wrote: Ive kinda finished my chat made with php and ajax, but theres a problem remaining that needs to be solved. At the moment, once you login with an account, you will remain logged on until you press a logout button or until the session has timed out. That's all good, but as the session is stored, once you open the same site again, you will have a duplicate of the login. So that means you can chat with multiple copies of the site on the same login.

What I want to do it prevent users from being able to chat with the same account on duplicates of the site. Idealistically, once youve logged on with an account, you should only be able to chat with it on the initial page you opened the url with. If they open a new page, the session shouldnt be valid and so the user will have to login again.

Help would be appreciated

How about just saving the last session_id to the user-table in your DB and check if its still alive when trying to login.
If it's alive you can use it by session_start($session_id_from_db); i think.
And if it's not alive just create a new one.