Implementation of PHP user login restrictions

The implementation of PHP user login restrictions requires the following problems during the development of the Alimail inquiry management system: for the sake of information security, we hope to give each person who can access the system an account, instead of sharing one account, one account can only be logged on by one user at the same time. At the beginning, the login locks the user. after the user logs in, the user is marked. if the user does not go offline for the second login attempt, the user is prohibited from logging in. This solution solves the problem of simultaneous login by multiple users in a single account, but encountered a bigger problem in actual operations: users are locked during login, when a user leaves the website, the unlock operation must be performed. many users leave the website using the habit of directly clicking the close button of the browser, which causes the user to be unable to unlock, in the end, normal user login is also restricted.

So how can we restrict user account logon in a friendly way? First, let's analyze how PHP identifies whether users log on. The stateless HTTP protocol makes it impossible to identify users. In general, user identification is mainly through cookies or sessions. The biggest difference before them is that cookie data is stored by the client. each time a request is sent to the server, the client sends valid cookies to the server along with the request, and session data is stored by the server. the server can determine whether these requests belong to the same request based on the specific cookie value sent by the client. In this way, we conduct login detection for users:

Obviously, the above code does not guarantee that a single user can log on only once at the same time. The first method to restrict single-account login is to store the session id of this session during login. when a user logs in, he first deletes the session id of the previous user, and then saves the session of this login, in this way, the original user will be pushed offline by the new user:

On this basis, we can limit the number of simultaneous logins by a single user. just change the kick_user function as follows:

Function kick_user ($ num = 1) {$ last_login_session_id_file = file_get_contents ("loginsession.txt"); // Obtain the session id $ login = explode ("|", $ login ); if (! In_array (session_id (), $ last_login_session_id_arr) {array_push ($ last_login_session_id_arr, session_id ();} if (count ($ interval)> $ num) {$ rmsession = array_shift ($ last_login_session_id_arr);} if (isset ($ rmsession) {unlink (session_path. "/sess _". $ rmsession);} file_put_contents ("loginsession.txt", implode ("|", $ last_login_session_id_arr ));}