Session creation and authorization. Change password

R

Roman Rakzin2015-06-29 01:38:25

PHP

Roman Rakzin, 2015-06-29 01:38:25

Session creation and authorization. Change password - and the user is authorized.?

I create in the session the value Authorized=1 when the user is authorized.
The user keeps the password somewhere in his notebook. Suddenly a thief came in, saw his password and logged in to the system. Our user found out about this and changed the password. But since the thief's session is Autorized=1 , he continues to work painlessly with the account.
What to do here? how to avoid such a situation?
I don't want to climb every time to the database and check the login/password combination.
In contact, for example, if you open pages in different browsers and change the password from one, then the next page will not open on the second browser, i.e. there is another mechanism.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Alexander, 2015-06-29
@zkelo

Bind sessions to IP addresses.

X

xmoonlight, 2015-06-29
@xmoonlight

The answer to the question of parallel sessions and their destruction is simple:
1. use the database: session_id, user_id, timestamp, ip
2. Update on the router URI of the user status in the table.
Further - any manipulations.