PHP Developers Network

I have a site that allows members to log in. If a member is logged in and another browser session is started with another member logging in, the second member becomes the active member on the first browser session effectively hijacking the first members account. I'm not sure which code is allowing this to happen. Does anyone have a suggestion?
Thanks.

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering

Thanks for the replies and here is more info. I am using Safari and it is the same browser session in a different tab on the same computer. What I'm trying to avoid is a member logging in on one tab and another member logging in another tab on the same computer which causes the conflict. Is there a way to make a user log off before another user logs in on the same computer? That would take care of the issue.

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering

I think you have a fundamental question to ask yourself: how can you possibly know whether it is the same or a different person who is using the same computer and the same browser, merely opening a new tab? That's exactly the same as the same person just deciding to sign on as a different user.

What you could do, I suppose, is (as part of your login page) check to see if a user is already logged on in the current session, and not allow another login until the currently logged-in user has logged out.

Here is the auth.php file. I'm not real sure what code (or even the logic) to add to this file.

If you were to follow my advice you would place the code on your login page;

This unsets (removes) any session variables that exists: this would then log out any person logged in on the same browser.

I don't understand the necessity for this sort of measure; if you could perhaps explain a bit more. Logically speaking two people using the same browser and the same terminal for the same application doesn't make sense, it would be easier to create a general user which grants access to all users (same privileges, same functions). This might be the case but then forcing logout would be pointless as the application doesn't have to logout. For a multi-user setup this is rather pointless imo; if the system has user specific functions & roles (one user is admin while another is a normal user) then common sense dictates that you would logout before allowing someone else, who might be a lower lever user, to work on the computer

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering

I see your point now. I'm developing in a localhost environment and doing some testing that is probably not a real world situation. And besides, if someone doesn't log out then it makes sense that the new session would take precedent. I'm over thinking this as usual. Thanks for the advice and clarity.