We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

Session persistence problems

December 30, 2008 1:17pm

Subscribe [7]

  • #16 / Oct 14, 2010 3:22pm

    WanWizard

    4475 posts

    I don’t see why your suggestion would solve that.

    If I can access your account, it means I have your password. Which is a very bad thing in itself.

    Then, when I login and you are logged in too, the system will kick you out, and I can still do my thing. If you’re not logged in, you are none the wiser. So what did you accomplish?

  • #17 / Oct 14, 2010 5:26pm

    fchristant

    33 posts

    @sojic. It seems you want an exclusive login lock system. If you’re using server-side sessions, i.e. db sessions, it is possible by overruling the Session class of CI. As @WanWizard said, you will have to include a login id in the session table and check for it during session creation. If a session with the same login id from another ip exists in the table, you kill it and create another one. That should log out the older session of the same user on another device.

    I would recommend against such a construction though. On the web this is a highly uncommon practice, against expectations of users. Plus, it requires tons of patches to the CI Session library. To make matters worse, all of this effort will make your application not one bit more secure.

  • #18 / Oct 14, 2010 7:20pm

    CharleyW

    10 posts

    Obviously you guys are not auditors.

  • #19 / Oct 15, 2010 3:53am

    WanWizard

    4475 posts

    As it so happens, I have certification in the auditor arena, and have as one of my projects the security of an access control management and IDM system for a central government.

    Related to this subject, it is important to have an audit trail of which user did what, an audit trail of every action related to user and rights management, and proof that you have a secure login system.
    It doesn’t say anywhere that an account can’t be logged in twice at any given moment.

    My point is that if you fear mis-use of the account (which is @sojic’ statement), you fail to prove that you have a secure login system. If this is absolutely paramount for your application, you need to use strong authentication, and a lot more security measures at the backend, so that for example it can be proven that file and database data is secure. Also, you need to protect your audit logs from tampering, so you need to write them to an other system, in a signed log. And I would like to have the application checked by a specialized company for security issues at the application layer. And a re-check whenever the code changes.

    Proving that you’re secure isn’t easy, and isn’t cheap.

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register