I am bulding a user registration and login system and need some advice around storing session ids and validating user credentials…etc.
Once I have gone through the standard username and password validation, I generate a session id using the users id, email address and time of login + the users ip address.
The session id is then stored in the database and a $_SESSION is created with this as the value. The last login time is also stored in the database.
So when I go to validate the login on different pages, I can take the session id, last login time and current session ip address and re-generate the session id to see if it matches.
The only issue is that this would mean a user can only login once on a single browser as logging in again on a different browser would make the first session invalid.
My question is: do you think this is a good way of validating logins and if not, can you advise on something better.