I have this problem with my login system. I have two users, userA and userB in the same computer. userA enters to his account in one browser; userB gets access to his account in the same browser. My system thinks that now userB is also userA and userA is still connected to its own account but his name appears as userB. If these two users get access into different browsers, there is NO problem.
Do you have any idea how can I fix this problem? Here is the code of my login system:
<?php session_start();
$error = "";
$usuario1="";
$password="";
$form = $_POST['acceso_cuenta'];
if($_SERVER['REQUEST_METHOD']=='POST'){
$usuario1 = $_POST['login'];
$password1 = $_POST['pass'];
$strconn="dbname=postgres port=5432 host=127.0.0.1 user=xxx password=***";
$conn=pg_Connect($strconn);
if(!$conn){
// "Error connection!!!";
}else{
$query3 = "SELECT USUARIO FROM USERS WHERE USUARIO='$usuario1'
AND E_CONTRASENIA='$password' AND LEVEL='TAMER_LEVEL_3'";
$query2 = "SELECT USUARIO FROM USERS WHERE USUARIO='$usuario1'
AND E_CONTRASENIA='$password' AND LEVEL='TAMER_LEVEL_2'";
$result2=pg_query($conn,$query2);
$result3=pg_query($conn,$query3);
if(pg_num_rows($result3) != 0 ) { //success
if(isset($_SESSION['logged-in']) || isset($_SESSION['user'])){
session_unset();
session_destroy();
}
$_SESSION['logged-in'] = true;
$_SESSION['user']=$usuario1;
header('location: http://localhost/public_html/teacherLv3.php');
exit;
}else if(pg_num_rows($result2) != 0){
if(isset($_SESSION['logged-in']) || isset($_SESSION['user'])){
session_unset();
session_destroy();
}
$_SESSION['logged-in'] = true;
$_SESSION['user']=$usuario1;
header('location: http://localhost/public_html/teacherLv2.php');
exit;
}else {
$error = "WRONG DATA.";
}//
pg_close($conn);
} //else { $error = 'Don't leave blank spaces';}
}//end of if server
?>
This is the code for teacherLv3's page:
<?php
session_start();
// is the one accessing this page logged in or not?
if ( (!isset($_SESSION['logged-in']) && $_SESSION['logged-in'] !== true)) {
// not logged in, move to login page
session_destroy();
header('Location: login.php');
exit;
}
?>
<html>
<? echo "Welcome back Teacher_Level 3 MASTER {$_SESSION['user']} " ; ?>
</html>
This is the code for teacherLv2's page:
// is the one accessing this page logged in or not?
if ( (!isset($_SESSION['logged-in']) && $_SESSION['logged-in'] !== true)) {
// not logged in, move to login page
session_destroy();
header('Location: login.php');
exit;
}
?>
<html>
<? echo "Welcome back Teacher_Level 2 MASTER {$_SESSION['user']} " ; ?>
</html>
First things first... It's an good practise to start the session at top of the page. so right after the first <?php tag you start the session session_start();
Then you need to unset the session variable first if an user is already logged in.
So at the moment that you logout, you can do this:
// everything fine for logout???
session_unset();
session_destroy();
// rederict to login / home page or whatever...
And at the login part:
if(pg_num_rows($result3) != 0 ) { //success
if(isset($_SESSION['logged-in']) || isset($_SESSION['user']){
session_unset();
session_destroy();
}
$_SESSION['logged-in'] = true;
$_SESSION['user']=$usuario1;
header('location: http://localhost/public_html/teacherLv3.php');
exit;
}else if(pg_num_rows($result2) != 0){
if(isset($_SESSION['logged-in']) || isset($_SESSION['user']){
session_unset();
session_destroy();
}
$_SESSION['logged-in'] = true;
$_SESSION['user']=$usuario1;
header('location: http://localhost/public_html/teacherLv2.php');
exit;
}
EDIT
First you need to create an unique string for the user ( at the login part ):
$r_addr = $_SERVER['REMOTE_ADDR'];
$user_agent = $_SERVER['HTTP_USER_AGENT'];
$unique_string = hash('ripemd160', $user_agent . $r_addr);
Then you need to create an table in the database that can hold the username ( to know about which user where talking about ) and the unique_string and an column where you set 0 or 1 for logout or not ( default 0 );
Then when you login, you check against the database if there's already any user with the unique_string, if so, update them ( except your own ) and set the logout column to 1. Then check if you with that unique_string already excist, if so, then delete that entry. Then insert your own data in the table.
Then everywhere where your check if the user is logged in, you also do an query on the new made table where you get the logout status ( so check for the username and for the unique_string ). The status is 0 or 1. then you do a little if:
if(logout_status == 1 || no_result){ // also check for no result, because if so you an unregisterd user. The safest way to handle this is to logout and login again...
// Do the logout with session_unset, session_destroy
}
Why not just prevent anyone else from logging in when there is already someone logged i?
if($_SERVER['REQUEST_METHOD']=='POST' && empty($_SESSION['logged-in'])) {
/* ... */
}