Skip to content

How to build login system so that only last user logged in can save?

David Todd

I am working on a simple project where I have a login system with multiple users where each user will login and save form entries in a file. Idea is last user who is logged in should always have the write access (and all others write access should be revoked) and if last user logs out then second last user should have the access but if only one user is logged in then he should get the write access automatically.

  • I have login.php page where I provide my user and password.
  • If login is successful then it redirects me to index.php page where I have form with two textbox and a button.
  • On index.php page I have Save Data button which if I click it calls save.php then it save form entries by overwriting in file but there is a catch here as explained below.
  • I also have logout link on my index.php page which if I click then it will log me out and redirect to login.php page. On each logout it clear the session and clears entries from the file as well.

Here is the flow with multiple users trying to save in a file. Only the last user who is logged in will be able to save form entries in a file. All other users who logged in before should get message saying Your write access is revoked since another user is logged in now. For example:

  • If userA is logged in then he should be able to save form entires in a file.
  • If userB is logged in then userA write access is revoked but userB should be able to save.
  • Now If userC is logged in then userB and userA write access is revoked but userC should be able to save.
  • Similarly for other users. Idea is only last user who is logged in should be able to save and all others (who are logged in) write access should be revoked.

Now if last user logs out then second last user who was logged in should get his write access back. And similarly for others as well. Logout/Login can happen in any way from any users.

Here is my index.php file:

<?php

declare(strict_types = 1);

// Start session.
session_start();

// Include helper functions.
require_once 'helpers.php';

// 2 mins in seconds
$inactive = 120; 

if(isset($_SESSION['timeout']) ) {
    $session_life = time() - $_SESSION['timeout'];
    if($session_life > $inactive)
    { 
        redirect('logout.php');
        return;
    }
}

$_SESSION['timeout'] = time();

// Redirect user to login page if not authenticated.
if (! check_auth()) {
    redirect('logout.php');
    return;
}

?>
<!doctype html>
<html>
<head>
    <title>Home</title>
</head>
<body>
    <div>
        <h1>Website Title</h1> <a href="logout.php">Logout</a> </div>
    <div>
        <p>Welcome back, <?= $_SESSION['user_id'] ?>!</p>
    </div>
    <form method="post">
        <input type="text" name="field1" />
        <input type="text" name="field2" />
        <input type="submit" name="submit" value="Save Data"> </form>
    <script src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
    <script>
    $(function() {
        "use strict";
        $('form').submit(function(e) {
            e.preventDefault();
            $.post({
                url: 'save.php',
                data: $(this).serialize(),
            }).done(response => {
                response = JSON.parse(response);
                if (response.message) {
                    alert(response.message);
                }
            }).fail(jqXhr => {
                if (jqXhr.status == 400) {
                    //redirect to specified url in the response text
                    window.location.href = jqXhr.responseText; 
                }
            });
        });
    });
    </script>
</body>
</html>

Here is my save.php file:

<?php
declare(strict_types=1);
// Start session.
session_start();
// Include helper functions.
require_once 'helpers.php';

// 2 mins in seconds
$inactive = 120; 

if(isset($_SESSION['timeout']) ) {
    $session_life = time() - $_SESSION['timeout'];
    if($session_life > $inactive)
    { 
        redirect('logout.php');
        return;
    }
}

$_SESSION['timeout'] = time();

// Redirect user to login page if not authenticated.
if (! check_auth()) {
    redirect('logout.php');
    return;
}

if (! is_authorized_to_write()) {
    echo json_encode([
        'success' => false,
        'message' => 'Your write access is revoked since another user is logged in now.',
    ]);
    return;
}

// save form entries in a file here

Problem Statement

All my above code works fine but there is a bug with multiple users trying to save form entries in a file –

  • If userA logs in then he is able to save form entries in a file successfully.
  • But if userB logs in then userA write access is revoked and userB can save which is fine.
  • Now if userC logs in then userA and userB both write access is revoked and userC can save which is fine.

Now as you can see all three users are logged in but if userB logs out then userC has write access because he was the last one to login so it works fine. But as soon as userC logs out and no one is remaining then userA write access should be back but somehow whenever userA tries to save, it says someone is logged in so he cannot save. And that is the bug. I think problem is the way I am storing entries in current_user.txt file but somehow not able to figure out on how to store in such a way so that last user who is logged in should always have the write access and if last user logs out then second last user should have the access but if only one user is logged in then he should get the write access automatically.

Advertisement

Answer

Why can’t you just let them each save to their own file or use a database? In case you really desire such absurd behavior, just make the login of one user set a flag in the user table, that will restrict other’s from writing the file. File-based sessions cannot be used for such functionality, because it has to be state-less.

Martin Zeitler
User contributions licensed under: CC BY-SA
2 People found this is helpful