Re: How should I handle Orphan Sessions?

Sure. You can use session cookie, which will be blown away when the user agent is closed.

Think about it, use session cookie (create a session cookie as session id), together with login id and IP address. To resolve your particular problem: if the same user login from the same IP address with no session id, just clear up his previous sessin context from the server, and let him login.

Comment on Re: How should I handle Orphan Sessions?

Replies are listed 'Best First'.
Re: Re: How should I handle Orphan Sessions? by sauoq (Abbot) on Dec 20, 2003 at 06:58 UTC
if the same user login from the same IP address with no session id, just clear up his previous sessin context from the server, and let him login. Uhm, no. Multiple users can share one IP. The most common way this happens is with proxies. Similarly, a single user might appear to come from multiple IPs over successive requests. (Think proxy farms.) The IP is not reliable and your solution does not address his stated problem. Unfortunately, there is no real clean solution to it. The bottom line is that you really have to rely on the authentication credentials. That's really not so bad, though. -sauoq "My two cents aren't worth a dime.";	[reply]
Re: Re: How should I handle Orphan Sessions? by soon_j (Scribe) on Dec 20, 2003 at 06:55 UTC
This is how I did it, just to give you an idea: 1. Verify if username exists in the database. If it exists, fetch the encrypted password. 2. Compere Passowrd with the decrypted password from the database. 3. Generate a session id. It is an encoded result of a username and expiration time. 4. Generate HTML through CGI with the session_id included as part of QUERY_STRING. Every page that is accessed looks for the session id, decodes it, and if it is valid and not expired, generate the pages desired. Though I stored IP addresses in a log, I did not include them in the validation since I'm aware of the higher chances that my users would be using their accounts on different machines (with different addresses). Would this work..... #Generate the HTML and Dump Cookie (session_id) &generate_html(); #A function that checks for the Dumped Cookie. If it can't find the cookie it means that the USER_AGENT is closed. &loop_to_check_for_cookie();	[reply]