Page 1 of 1

Denying Multi Login with same ID

Posted: Wed Jun 30, 2004 10:18 am
by Atiq
Here is what i want :

"If a user is looged in and another user with the same login/password tries to enter the system he should not be able to login until the other user logged out of the system."

I can store the entry for the user in the table. And as long as that entry stays in the table other users can not login.

But the problem is when should i delete this entry from table.

When user presses logout is Ok.

But what if the light goes off or any other unintential log out .

Please advise.

Regards,

Atiq

Posted: Wed Jun 30, 2004 10:26 am
by pickle
The first thing that pops to mind is a cookie/session combo. When a person logs in, create a custom session id, and store it both in the db (along with the associated username and the expiration time), and in the cookie. When a person logs in, initialize the session in the db, and set the cookie. When a person goes to a new page, update the expiration time on the session, if they've got a legitimate cookie. So, when a person logs in, check if there's already a session attached to their username. If they don't have the corresponding cookie, deny them.

Posted: Wed Jun 30, 2004 10:28 am
by DaiWelsh
It is a judgement call, but you need to keep info on when the user last loaded a page and give some grace period after that before they are considered automatically logged out.

For example it could be within 10 minutes of their last page load.

However you need to consider that a user might close (or crash?) their browser and then come back with a fresh browser instance (and hence no session cookies) and be blocked from loggin in even though it was them who was previousy logged in with that username. Dont know about your users but that would probably annoy the h*** out of me ;) You could always store a more premanent cookie and let them back in within the lockout period if they appeared to be on the same machine?

Is this a security measure of some kind?

Posted: Thu Jul 01, 2004 1:43 am
by Atiq
Thanks

But my question stays the same!

How and when can i delete the entry from table.

Posted: Thu Jul 01, 2004 3:41 am
by PAW Projects
Personally, I agree with DaiWelsh and I'd go about it the other way.

When a user is logged in from computer A, and he logs in from computer B, his session on computer A should be invalidated.

Posted: Fri Jul 02, 2004 9:29 am
by pickle
You can delete the entry either when they log out, when their session times out or, as ~DaiWelsh says, when they log in to another computer. It's just a simple matter of changing the value of the cookie and/or removing a row from a MySQL table.