Page 1 of 1

One login allowed per user id at any time

Posted: Wed Jun 14, 2006 6:36 pm
by stevieSky
Hi,

The following problem i have researched but could not find an answer...i need a way of restricting a user from logging from more than one browser at a time. for example to stop one user from passing around their login and password to collegues ... is their away to do this anyone...i know that i could store a ticket when they login but unless they push the logout button then the ticket will not be cancelled ie if they close the browser then when they try to log in their will still be a ticket stopping them form logging in...any ideas would be greatly appreciated,thanks

Posted: Wed Jun 14, 2006 6:43 pm
by bokehman
One possible way would be monitor the IP which they logged in from. If the IP changes log them out.

Posted: Wed Jun 14, 2006 6:50 pm
by Chris Corbyn
Log the IP in the DB. Every link click, log the time. If the IP changes within 5 mins (or a time you define) then lock them out. This generally isn't going to be a good idea for generally public use...

Posted: Wed Jun 14, 2006 6:51 pm
by stevieSky
Thanks mate for your answer,the problem is most of the people accessing it will be inside an intranet....will they all appear to have the same IP address?

Posted: Wed Jun 14, 2006 7:04 pm
by feyd
just remember that AOL and some other users' IP can change rapidly...

Re: One login allowed per user id at any time

Posted: Wed Jun 14, 2006 8:03 pm
by timvw
For every requested page you have to check if their 'session' is still valid.
If they login a second time, generate a new session, and invalidate the previous session(s).

Now, they are always capable of logging in and only the most recent login will be able to access the data.

If this isn't enough you can also add an interval between the generation of two logons.. Probably a timeout that grows when the number of logon attempts grows...

Posted: Wed Jun 14, 2006 8:31 pm
by jwalsh
I've done it in the past by creating a random token, and storing it in a cookie and the database. Then just check that the tokens match. Everytime a login action occurs, a new token is generated, which renders the old one invalid.

Josh

Posted: Wed Jun 14, 2006 9:13 pm
by stevieSky
Thanks for the feedback...we thought this was a good idea only the fact that we would be kicking the first user out but we actually want to stop the second user from logging in....we came up with a a solution...we use it inline with ajax...when a user logs in and they have to have javascript installed or less we log them out ...every time they do an action we check to see if javascript is still enabled...every minute we send a response to the server updating a timestamp along with the user id...when someone else tries to log in using this id we check to see if the timestamp is more than 1 minute old...if it is then it means the user has closed their browser and we can log the second person in...if it is less than a minute we block this user