New to php
I want to create new table and store session ID
this step is to prevent multiple login
Current using this code which does not check multiple logins
Any advice would be appreciated

<?php
	//Start session
	session_start();
	
	//Include database connection details
	require_once('config.php');
	
	//Array to store validation errors
	$errmsg_arr = array();
	
	//Validation error flag
	$errflag = false;
	
	//Connect to mysql server
	$link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
	if(!$link) {
		die('Failed to connect to server: ' . mysql_error());
	}
	
	//Select database
	$db = mysql_select_db(DB_DATABASE);
	if(!$db) {
		die("Unable to select database");
	}
	
	//Function to sanitize values received from the form. Prevents SQL injection
	function clean($str) {
		$str = @trim($str);
		if(get_magic_quotes_gpc()) {
			$str = stripslashes($str);
		}
		return mysql_real_escape_string($str);
	}
	
	//Sanitize the POST values
	$login = clean($_POST['login']);
	$password = clean($_POST['password']);
	
	//Input Validations
	if($login == '') {
		$errmsg_arr[] = 'Login ID missing';
		$errflag = true;
	}
	if($password == '') {
		$errmsg_arr[] = 'Password missing';
		$errflag = true;
	}
	
	//If there are input validations, redirect back to the login form
	if($errflag) {
		$_SESSION['ERRMSG_ARR'] = $errmsg_arr;
		session_write_close();
		header("location: login-form.php");
		exit();
	}
	
	//Create query
	$qry="SELECT * FROM members WHERE login='$login' AND passwd='".md5($_POST['password'])."'";
	$result=mysql_query($qry);
	
	//Check whether the query was successful or not
	if($result) {
		if(mysql_num_rows($result) == 1) {
			//Login Successful
			session_regenerate_id();
			$member = mysql_fetch_assoc($result);
			$_SESSION['SESS_MEMBER_ID'] = $member['member_id'];
			$_SESSION['SESS_FIRST_NAME'] = $member['firstname'];
			$_SESSION['SESS_LAST_NAME'] = $member['lastname'];
			session_write_close();
			header("location: member-index.php");
			exit();
		}else {
			//Login failed
			header("location: login-failed.php");
			exit();
		}
	}else {
		die("Query failed");
	}
?>
Member Avatar for diafol

This isn't your script I take it.
Have you tried checking the DB for an active session before an INSERT is allowed?

If you've got a 'logged' table with the user_id, session_id and time of last page impression, this should be reasonably adequate.

Your user will only be able to see a new page if they go to a new page within say 20 minutes and the session_id is still valid, otherwise they are logged out automatically.

If your user tries to log in on another machine or other browser and they have an active session (within the 20 minutes), they can be declined login. On the other hand, if the 20 minute period is up, delete the record and allow login and insert a new record with the relevant session_id and page impression time. An user returning to the original machine/browser will then find that they have been logged out by the system.

There are a number of fully fledged authentication scripts out there, if you're unsure.

Member Avatar for diafol

Out of interest I had a look, but it won't stop multiple login by same user as far as I can see. It would stop you logging in during the same session, but not from a different browser or machine.

the links provided has 3 tables id username and password
the code does not write session in db
cannot check where a user has loggedin
any other suggestions plz

Member Avatar for diafol

the links provided has 3 tables id username and password
the code does not write session in db
cannot check where a user has loggedin
any other suggestions plz

Are you talking about 3 fields or 3 tables?

You'll need to add 2 fields to the members table called something like session_id and last_impression (or better still, create a new table called sessions and give it id, member_id, session_id, last_impression fields). Then you'll be able to see if a member is logged in.

Session variables are only relevant for that particular browser/machine combo. Cookies are usually dependent on the browser, but I have heard that Opera can read cookies stored by other browsers - I have no idea if this is true.

I believe that this has to be done via DB (or a file on the server - you'd probably want to avoid files though - yuk).

In the table you saving username and password, have one more field named 'Status' or whatever. Each time user logs in get the status updated like 'online' and when you checking the username+ password combination for the login page just check this field also, if the user is already "Online" , you wont allow him to log in again, in addition to this you can show some custom message also.
Hope this will solve your problem.

Member Avatar for diafol

Sorry to butt in again, but a status field will be difficult to implement unless the user actually logs out every time. Imagine the user just closes the browser (no logout, unless this is scripted into ajax or similar). The problem is now that the the user is permanently shut out coz they can't login at all due to the DB stating that they are already logged in. Note that the session variable which keeps the user logged in from page to page will now most likely be killed off since the last visit. Cookies could help here, but unless you use the same browser on the same machine to try and log back in, it'll tell you to push off as well.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.