From: Robert Cummings > Bob McConnell wrote: >> Web servers can only identify computers, not users. You will need >> something else to track which user started a specific application on a >> particular computer, probably a fingerprint scanner next to the >> keyboard. But that won't prevent someone else from replacing the entity >> between the keyboard and the chair after they log in. Plus, it is >> unlikely that will be useful in a true multi-user environment. There are >> simply too many possible ways to get around your restrictions. > > Isn't it simple to associate a single session ID with a username? User > logs in, place username and session ID in active users table and > invalidate any others for same user. When user accesses page check > session ID against entry in active users table. Richard Quadling has it > right. This is not complicated, but it sounds like people are making it > so. The user identified themselves via login. >From the series of questions he asked, it was not clear to me what he was trying to do. It sounded like he wanted to allow a user to access a single session simultaneously via multiple browsers, yet not allow another person to hijack that session even if both were using the same computer. Somehow I don't think all of that is a reasonable requirement. Actually, I believe that linking a session to a specific individual without reading a biometric key with every http request is an unacceptable risk. And no, I don't do any banking online. Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
