> -----Original Message----- > From: James Colannino [mailto:james@xxxxxxxxxxxxx] > Sent: Tuesday, June 22, 2010 10:06 PM > To: PHP-General List > Subject: Re: Question about logins and locking > > Tommy Pham wrote: > > > 1) Set an encrypted (to prevent hijacking and eavesdropping) cookie to > > expire when browser closes > > 2) Have a table in the DB backend to keep track if the user is logged > > in or not and when was the last time the validated user access your > > site (this gets updated when the user visit a link on your site by > > checking the cookie and the DB entry of the session ID) > > 3) Set your session timeout accordingly to you security requirement > > 4) Have a javascript on a timeout to self-logoff should the user is > > AFK longer than your session timeout. > > > > If another user or if the same user tries to login with a different > > browser, you can check the status of the user. If the user is logged > > in, you can deny it after the authentication. Should the user closes > > the browser without having to logoff, you can check when was the last > > time the user accessed your site and see if it's been longer than your > session timeout. > > For security purposes, you can optionally send a courtesy email > > notifying that the user didn't logout properly since last accessed. > > This way, you can track whether if the user's system is compromised in > > some way or not. It all depends on what kind of application, service, > > user level access, and the strict security you require. > > Thanks Tommy. That was very helpful, and some of it is similar to how I was > thinking of doing it. > > James > Forgot 1 more thing, if you really want to be strict about security, you can set a very highly secured permanent cookie on the user's system on the first initial login. You can send them a confirmation code, that it's really who they say they are, to the email address. Then the user will need to submit that confirmation code along with the current password as part of the initial logon process. So if a hijacker or eaves dropper try to logon with your user's info on another system, a new confirmation code would be sent to your user's email address. Your user would then know their identity has be stolen. Setting this up will entail slight modification to your app and DB design but will have better overall security. Again, evaluate your needs and services ;) Regards, Tommy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
