Tommy Pham wrote: > 1) Set an encrypted (to prevent hijacking and eavesdropping) cookie to > expire when browser closes > 2) Have a table in the DB backend to keep track if the user is logged in or > not and when was the last time the validated user access your site (this > gets updated when the user visit a link on your site by checking the cookie > and the DB entry of the session ID) > 3) Set your session timeout accordingly to you security requirement > 4) Have a javascript on a timeout to self-logoff should the user is AFK > longer than your session timeout. > > If another user or if the same user tries to login with a different browser, > you can check the status of the user. If the user is logged in, you can > deny it after the authentication. Should the user closes the browser > without having to logoff, you can check when was the last time the user > accessed your site and see if it's been longer than your session timeout. > For security purposes, you can optionally send a courtesy email notifying > that the user didn't logout properly since last accessed. This way, you can > track whether if the user's system is compromised in some way or not. It > all depends on what kind of application, service, user level access, and the > strict security you require. Thanks Tommy. That was very helpful, and some of it is similar to how I was thinking of doing it. James -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
