Can the one session per member ID contraint be examined?

[G17 Media]

I ran into a problem recently that took me some time to figure out.

Basically, we show a CAPTCHA to users to protect against automated downloads.
Recently, we added a system where they only have to do this every 30 minutes (and we set a $_SESSION['download_captcha_last_completed'] variable).

This didn't seem to work for me randomly, and upon long investigation, I realized I had my PC was also on the website. I suspect what was happening is that my PC was making requests for notifications, which would cause my laptop's session to be wiped out. It isn't noticeable to users (I guess they get logged in via pass hash or something else?) but the $_SESSION array seems to get completely wiped out, which means my system is unworkable for users which are logged in via multiple devices (or their phone or another device is checking for notifications). When I closed my PC browser my system worked as designed.

It looks like this is related:

Is it possible you can allow multiple sessions per member ID - or - as a compromise, perhaps save the $_SESSION array?

[Mark]

It is something we are investigating. For the meantime I would recommend creating a database table with IP addresses and the last time the captcha was completed.