One login allowed per user id at any time

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
stevieSky
Forum Newbie
Posts: 10
Joined: Wed Apr 26, 2006 4:18 pm

One login allowed per user id at any time

Post by stevieSky »

Hi,

The following problem i have researched but could not find an answer...i need a way of restricting a user from logging from more than one browser at a time. for example to stop one user from passing around their login and password to collegues ... is their away to do this anyone...i know that i could store a ticket when they login but unless they push the logout button then the ticket will not be cancelled ie if they close the browser then when they try to log in their will still be a ticket stopping them form logging in...any ideas would be greatly appreciated,thanks
User avatar
bokehman
Forum Regular
Posts: 509
Joined: Wed May 11, 2005 2:33 am
Location: Alicante (Spain)

Post by bokehman »

One possible way would be monitor the IP which they logged in from. If the IP changes log them out.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Log the IP in the DB. Every link click, log the time. If the IP changes within 5 mins (or a time you define) then lock them out. This generally isn't going to be a good idea for generally public use...
stevieSky
Forum Newbie
Posts: 10
Joined: Wed Apr 26, 2006 4:18 pm

Post by stevieSky »

Thanks mate for your answer,the problem is most of the people accessing it will be inside an intranet....will they all appear to have the same IP address?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

just remember that AOL and some other users' IP can change rapidly...
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Re: One login allowed per user id at any time

Post by timvw »

For every requested page you have to check if their 'session' is still valid.
If they login a second time, generate a new session, and invalidate the previous session(s).

Now, they are always capable of logging in and only the most recent login will be able to access the data.

If this isn't enough you can also add an interval between the generation of two logons.. Probably a timeout that grows when the number of logon attempts grows...
User avatar
jwalsh
Forum Contributor
Posts: 202
Joined: Sat Jan 03, 2004 4:55 pm
Location: Cleveland, OH

Post by jwalsh »

I've done it in the past by creating a random token, and storing it in a cookie and the database. Then just check that the tokens match. Everytime a login action occurs, a new token is generated, which renders the old one invalid.

Josh
stevieSky
Forum Newbie
Posts: 10
Joined: Wed Apr 26, 2006 4:18 pm

Post by stevieSky »

Thanks for the feedback...we thought this was a good idea only the fact that we would be kicking the first user out but we actually want to stop the second user from logging in....we came up with a a solution...we use it inline with ajax...when a user logs in and they have to have javascript installed or less we log them out ...every time they do an action we check to see if javascript is still enabled...every minute we send a response to the server updating a timestamp along with the user id...when someone else tries to log in using this id we check to see if the timestamp is more than 1 minute old...if it is then it means the user has closed their browser and we can log the second person in...if it is less than a minute we block this user
Post Reply