I want to know how I should go about allowing users to login to multiple accounts in the same session. For example, user should be able to open a tab, logs into Account A, and opens up another tab to log into Account B. I want to also make sure that anything he does in the first tab affects account A only, but anything done on the second tab affects Account B and nothing else.
我想知道如何允许用户在同一会话中登录多个帐户。例如,用户应该能够打开选项卡,登录到帐户A,并打开另一个选项卡以登录帐户B.我还想确保他在第一个选项卡中执行的任何操作仅影响帐户A,但是完成了任何操作在第二个选项卡上影响帐户B,没有别的。
Here is more concrete example of what I am having trouble with. Let's say there is a JavaScript function called deleteList(listId)
that is exposed in the global space, that is, he can call this function in the browser console. Now, this user somehow identifies the listId for a list that exists in Account B. Then, he opens up the tab where he is logged in as Account A, and uses the function to delete the list in Account B although he is on a page where he is logged in as Account A.
这是我遇到麻烦的更具体的例子。假设有一个名为deleteList(listId)的JavaScript函数在全局空间中公开,也就是说,他可以在浏览器控制台中调用此函数。现在,该用户以某种方式识别listId中存在于帐户B中的列表。然后,他打开了以帐户A登录的选项卡,并使用该功能删除帐户B中的列表,尽管他在页面上他以帐号A登录的位置
I know this may not be a practical or real situation, but I want to know, for the sake or learning, how to prevent this behaviour. That is, if I allow user to login to multiple accounts, how can I differentiate each connection(opened tab/window) made by user even in a same session?
我知道这可能不是一个实际或真实的情况,但我想知道,为了学习或学习,如何防止这种行为。也就是说,如果我允许用户登录多个帐户,即使在同一个会话中,如何区分用户创建的每个连接(打开的选项卡/窗口)?
Can I create a new session with each unique connection in PHP? Because what I observe is that if I open multiple tabs, they are all identified as the same session.
我可以在PHP中使用每个唯一连接创建一个新会话吗?因为我观察到的是,如果我打开多个选项卡,它们都被识别为同一个会话。
1 个解决方案
#1
0
As far as I noticed, google handles it by argument in url. The basic idea is that you store a table of user data in $_SESSION
and not single record.
据我所知,谷歌通过url中的参数处理它。基本思想是在$ _SESSION中存储用户数据表而不是单个记录。
Let's say you got kept in $_SESSION
- username
and userip
after login procedure, so instead of keeping it directly in $_SESSION
, you add a record to $_SESSION[] array
.
假设你在登录程序后保存在$ _SESSION - username和userip中,所以不要将它直接保存在$ _SESSION中,而是在$ _SESSION []数组中添加一条记录。
$_SESSION['username'] = ...
$_SESSION['userip'] = ...
to
至
$_SESSION[] = array('username' => ...,'userip' => ...);
Ok so after few logins we got an array of arrays of username
and userip
.
好吧,经过几次登录后,我们得到了一组用户名和userip数组。
The second thing is to rewrite url that it would ignore first part:
第二件事是重写url它会忽略第一部分:
/(.*)/(.*)
-> /$2?user=$1
/(.*)/(.*) - > / $ 2?user = $ 1
From now on, we refer to logged user session like this:
从现在开始,我们引用如下记录的用户会话:
$_SESSION[$_GET[user]][...]
$ _SESSION [$ _ GET [用户] [...]
That would be it. Of course you may use different rewrite rules, it is just an idea example.
就是这样。当然你可以使用不同的重写规则,这只是一个想法的例子。
#1
0
As far as I noticed, google handles it by argument in url. The basic idea is that you store a table of user data in $_SESSION
and not single record.
据我所知,谷歌通过url中的参数处理它。基本思想是在$ _SESSION中存储用户数据表而不是单个记录。
Let's say you got kept in $_SESSION
- username
and userip
after login procedure, so instead of keeping it directly in $_SESSION
, you add a record to $_SESSION[] array
.
假设你在登录程序后保存在$ _SESSION - username和userip中,所以不要将它直接保存在$ _SESSION中,而是在$ _SESSION []数组中添加一条记录。
$_SESSION['username'] = ...
$_SESSION['userip'] = ...
to
至
$_SESSION[] = array('username' => ...,'userip' => ...);
Ok so after few logins we got an array of arrays of username
and userip
.
好吧,经过几次登录后,我们得到了一组用户名和userip数组。
The second thing is to rewrite url that it would ignore first part:
第二件事是重写url它会忽略第一部分:
/(.*)/(.*)
-> /$2?user=$1
/(.*)/(.*) - > / $ 2?user = $ 1
From now on, we refer to logged user session like this:
从现在开始,我们引用如下记录的用户会话:
$_SESSION[$_GET[user]][...]
$ _SESSION [$ _ GET [用户] [...]
That would be it. Of course you may use different rewrite rules, it is just an idea example.
就是这样。当然你可以使用不同的重写规则,这只是一个想法的例子。