Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to limit users to one session with CakePHP 3?

Tags:

session

cakephp

I have auth working fine. Users can log in and out, no problem. The thing is, if users share a login, they can all be logged in at the same time as the one user. Not good.

I need to have CakePHP know when a user is logged in, which I assume is a process started using:

'Session' => [
    'defaults' => 'database'
]

As per the Sessions book page.

It's then I get lost. Unless I have missed it there is no reference to limiting users to one active session each. Has anyone come across this before and, if so, how did you work around it?

To clarity:

All sessions deleted from DB & all cookies deleted in browser = nothing set in either when visiting the /users/login page (incidentally, this has been set up as per the tutorials - nothing fancy).

Login = session set in db with id corresponding to cookie in browser. Exactly what you'd expect.

Logout (which then redirects back to login) = old session removed then replaced by another in DB and cookie. Different id. So something is picking up the expired cookie and refreshing it. Hmm.

The information held in the cookie is just the session id. In the DB it's simply:

Session id | a blob | expiry time

like image 651
pmelon Avatar asked Feb 18 '16 12:02

pmelon

1 Answers

I assume you save users and sessions in a database (by default in cakePHP it is named sessions).

Add an active_session field, update it upon login, check it on requests to ensure that current user session id matches the last one stored in the database.

On Login action do:

UPDATE `users` SET `active_session`='$session_id';

When user goes to a page that requires login, you search that value:

SELECT * FROM `users` WHERE `active_session` = '$session_id';

If the user signs in other place, the previous session key gets overwriten, and the SELECT above returns an empty result-set.

It's possible to clean the old session token before the update, so this way old session will be destroyed on per user basis.

Be careful, if you are using AuthComponent, it might rotate sessions itself, for more information you may find in the corresponding section of CakePHP manual.

I'd definitely go AuthComponent-way, and wouldn't re-invent the wheel in CakePHP.

like image 114
Farside Avatar answered Oct 22 '22 17:10

Farside
Sign in to Comment

Related questions

checking session timeout when using AJAX
Laravel Auth::logout not removing remember me cookie
Using Django Session Framework with a Token instead of a Cookie?
Symfony - Authentication with an API Token - Request token user is null
How to start a new Windows logon session (RDP or console) programmatically
Passing session data between ASP.NET Applications
What is the maximum size a session variable can hold?
Allow search bots to crawl your sites without session IDs
How does session_start lock in PHP?
PDO prepare silently fails
NHibernate: System.Argument Exception : An item with the same key has already been added
Asynchronous threads and session
Persistent Sessions with JDBC and Tomcat
instance variables in stateless session beans
An explanation of session support using Express and Socket.IO?
Session Not Persisting Across Redirect With OmniAuth and Rails 4
Why is my Session["value"] not persisting across views (asp.net mvc)
Storing username, pasword using cookies/sessions - Java Servlets [closed]
Use SESSIONS variables between different php files
Mockito says arguments are not identical but they are?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!