summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLukas Fleischer <archlinux@cryptocrack.de>2011-02-22 10:42:57 +0100
committerLukas Fleischer <archlinux@cryptocrack.de>2011-02-23 11:17:26 +0100
commitf961ffd9c7f2d3d51d3e3b060990a4fef9e56c1b (patch)
tree5e13178872626820f171d0844c4375f3f59ed14e
parentc39183c3ee7eb1b127e981d1f023a13fd88cbea9 (diff)
Add a per-user session limit (fixes FS#12898).
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
-rw-r--r--web/lib/acctfuncs.inc16
-rw-r--r--web/lib/config.inc.proto3
2 files changed, 18 insertions, 1 deletions
diff --git a/web/lib/acctfuncs.inc b/web/lib/acctfuncs.inc
index 513a142..a4de12c 100644
--- a/web/lib/acctfuncs.inc
+++ b/web/lib/acctfuncs.inc
@@ -601,7 +601,7 @@ function display_account_info($U="", $T="", $E="", $R="", $I="") {
* SID of 0 means login failed.
*/
function try_login() {
- global $PERSISTENT_COOKIE_TIMEOUT;
+ global $MAX_SESSIONS_PER_USER, $PERSISTENT_COOKIE_TIMEOUT;
$login_error = "";
$new_sid = "";
@@ -624,6 +624,20 @@ function try_login() {
$dbh = db_connect();
while (!$logged_in && $num_tries < 5) {
+ if ($MAX_SESSIONS_PER_USER) {
+ # Delete all user sessions except the
+ # last ($MAX_SESSIONS_PER_USER - 1).
+ $q = "DELETE s.* FROM Sessions s ";
+ $q.= "LEFT JOIN (SELECT SessionID FROM Sessions ";
+ $q.= "WHERE UsersId = '" . $userID . "' ";
+ $q.= "ORDER BY LastUpdateTS DESC ";
+ $q.= "LIMIT " . ($MAX_SESSIONS_PER_USER - 1) . ") q ";
+ $q.= "ON s.SessionID = q.SessionID ";
+ $q.= "WHERE s.UsersId = '" . $userID . "' ";
+ $q.= "AND q.SessionID IS NULL;";
+ db_query($q, $dbh);
+ }
+
$new_sid = new_sid();
$q = "INSERT INTO Sessions (UsersID, SessionID, LastUpdateTS)"
." VALUES ( $userID, '" . $new_sid . "', UNIX_TIMESTAMP())";
diff --git a/web/lib/config.inc.proto b/web/lib/config.inc.proto
index 507ce27..bee6889 100644
--- a/web/lib/config.inc.proto
+++ b/web/lib/config.inc.proto
@@ -45,6 +45,9 @@ $SUPPORTED_LANGS = array(
"zh_CN" => "简体中文"
);
+# Session limit per user
+$MAX_SESSIONS_PER_USER = 8;
+
# Idle seconds before timeout
$LOGIN_TIMEOUT = 7200;