Limit one user per account
Moderator: General Moderators
-
ejennings_98
- Forum Newbie
- Posts: 8
- Joined: Tue Jun 10, 2003 1:28 pm
- Location: Vancouver, CA
- Contact:
Limit one user per account
I have created a login, storing user info in MySQL, and I am able to track the user state using sessions. However, I am trying to make sure that a user’s login account is not used by two people at the same time.
I have tried canceling the first session with the second login, but I am not having much luck. Does anyone have any good ideas, or has anyone tried this before.
Thanks in advance, Eric
I have tried canceling the first session with the second login, but I am not having much luck. Does anyone have any good ideas, or has anyone tried this before.
Thanks in advance, Eric
-
ejennings_98
- Forum Newbie
- Posts: 8
- Joined: Tue Jun 10, 2003 1:28 pm
- Location: Vancouver, CA
- Contact:
you might store the sessionId on a valid login in the user-table and only serve requests with a corresponding sessionId but it would require a database query for each request,
http://php.net/session_id
http://php.net/session_id
-
ejennings_98
- Forum Newbie
- Posts: 8
- Joined: Tue Jun 10, 2003 1:28 pm
- Location: Vancouver, CA
- Contact:
volka's approach sounds good.
I would suggest letting the first login continue, but giving a access denied message to the second (and later paople) this message should include a way to contact you/the server admin to report abuse if they are the legitamte user. In this manner you don't need to check on every page view. You only need to check at log-in time that no other valid session exists for that user. As you;re already querying that table to check some subset of ( the username exists, the user's account is active, the user's submitted hashed password matches) it shouldn't add any appreciable overhead to check the current session status.
You'll need to check how your server handles session garbage collection and be sure to set the field in the database to some appropriate not in use condition when a session is garbage collected or the user logs out. I would suggest using an empty string, as nulls are bad and should be avoided like the plague. You'll probably want to handle the specialy case of a person logginng in again, with the same session id as allowed. It shouldn't happen too often, if at all, but its worth planning for....
I would suggest letting the first login continue, but giving a access denied message to the second (and later paople) this message should include a way to contact you/the server admin to report abuse if they are the legitamte user. In this manner you don't need to check on every page view. You only need to check at log-in time that no other valid session exists for that user. As you;re already querying that table to check some subset of ( the username exists, the user's account is active, the user's submitted hashed password matches) it shouldn't add any appreciable overhead to check the current session status.
You'll need to check how your server handles session garbage collection and be sure to set the field in the database to some appropriate not in use condition when a session is garbage collected or the user logs out. I would suggest using an empty string, as nulls are bad and should be avoided like the plague. You'll probably want to handle the specialy case of a person logginng in again, with the same session id as allowed. It shouldn't happen too often, if at all, but its worth planning for....
-
ejennings_98
- Forum Newbie
- Posts: 8
- Joined: Tue Jun 10, 2003 1:28 pm
- Location: Vancouver, CA
- Contact:
With your suggestions, a person would be forced to log out if they choose to switch computers, which should be acceptable. I could also force a session timeout of a few hours.
The garbage collection is automatic, using Linux not Win32. However, I was looking at the "session_set_save_handler()" function. This seems like a lot of overhead. I need to track user info for almost all of my pages, and I would not want to call this all the time.
So, would it not be simpler to save the session ID along with the session expiration time. Then when the user logs out, or the session expires, the account can be accessed with a new session ID.
Question: How do you set the timeout for a session??
Thanks, Eric
The garbage collection is automatic, using Linux not Win32. However, I was looking at the "session_set_save_handler()" function. This seems like a lot of overhead. I need to track user info for almost all of my pages, and I would not want to call this all the time.
So, would it not be simpler to save the session ID along with the session expiration time. Then when the user logs out, or the session expires, the account can be accessed with a new session ID.
Question: How do you set the timeout for a session??
Thanks, Eric
Hmm what is more common in your user base:
A. Two people using the same account at once
B. People changing computers with very short "downtime"
How much do you want to penalize A?
If two people end up sharing an account, under a design like volka mentioned. Each user would have to re-login after the other person's page view. This is likely penalty enough as it makes a site rather unuseable. If you have an FAQ, you should make sure to add an entry for "Q: Why do I keep having to log in? A: Because you let some else use your account and they are messing up your access... DON'T SHARE YOUR ACCOUNT."
How much traffic is your site? Adding the single query
SELECT * from foo where session_id='blah'"; to every "secured" page shouldn't hose any site that I can think of and it is the simpler answer than the approach I suggested.
Regarding session timeout:
its a php.ini setting (session.gc_maxlifetime) that defaults to 1440 seconds from last use. (24 minutes). WHile this setting is listed as a PHP_INI_ALL setting, such that you can set it with ini_set(), setting it makes no practical difference as th GC runs before the script is executated so it won't see the ini_set. Therefore to change the behavoir you either need to be able to change php.ini or write your own custom handlers.
A. Two people using the same account at once
B. People changing computers with very short "downtime"
How much do you want to penalize A?
If two people end up sharing an account, under a design like volka mentioned. Each user would have to re-login after the other person's page view. This is likely penalty enough as it makes a site rather unuseable. If you have an FAQ, you should make sure to add an entry for "Q: Why do I keep having to log in? A: Because you let some else use your account and they are messing up your access... DON'T SHARE YOUR ACCOUNT."
How much traffic is your site? Adding the single query
SELECT * from foo where session_id='blah'"; to every "secured" page shouldn't hose any site that I can think of and it is the simpler answer than the approach I suggested.
Regarding session timeout:
its a php.ini setting (session.gc_maxlifetime) that defaults to 1440 seconds from last use. (24 minutes). WHile this setting is listed as a PHP_INI_ALL setting, such that you can set it with ini_set(), setting it makes no practical difference as th GC runs before the script is executated so it won't see the ini_set. Therefore to change the behavoir you either need to be able to change php.ini or write your own custom handlers.
For the little bit I know, I did something kind of similar using the following:
when the user logs in you could change this to also see if someone else is using the current login.
when the user goes to each page they check to see wether thier time has expired and if not extend the expiry time.
I also auto log out when they close thier browser or also manually log out
when the user logs in you could change this to also see if someone else is using the current login.
Code: Select all
$user_type = 2;
$SID=md5(rand()+microtime());
$sql="INSERT INTO sessions (SID, user_id, time_expire, session_time, user_type)
VALUES ('$SID', '$user_id', ".(time()+3600).", '$today', $user_type)";
mysql_query($sql) or die('An error occured executing sql statement. SQL='.$sql.'<br>'.mysql_error());
}
} else {
echo "Query failed. SQL=$selectresult error=".mysql_error();
}
$_SESSION['SID'] = $SID;Code: Select all
$time_now = time();
$time_later = (time()+3600);
$query = "select user_id from sessions where SID = '$SID' and user_type ='2' and time_expire > $time_now";
$result = mysql_query($query) or die ("Error in query: $query " . mysql_error() );
$numrows =mysql_num_rows($result);
if($numrows >0)
{
$sql ="UPDATE sessions SET time_expire = '$time_later' WHERE SID = '$SID' ";
mysql_query($sql) or die('An error occured executing sql statement. SQL='.$sql.'<br>'.mysql_error());
}
else
{
//make them log in again
echo "<meta http-equiv=refresh content='1;url=http://touch.com/dlogin.php'>";
exit;
}Code: Select all
<?php
$sql ="UPDATE sessions SET session_end = '$logouttime' WHERE SID = '$SID' ";
mysql_query($sql) or die('An error occured executing sql statement. SQL='.$sql.'<br>'.mysql_error());
echo "You have been logged out";
session_destroy();
?>-
ejennings_98
- Forum Newbie
- Posts: 8
- Joined: Tue Jun 10, 2003 1:28 pm
- Location: Vancouver, CA
- Contact:
Thanks nielsene for your insightful input. I think I will take the approach of re-setting the SID for every login. It is a simple solution and the behavior can be easily explained if there is more than one person using the account. As well, thanks for the info on the session timeout.
lloydie-t, I like your ideas, I think you are describing something similar to what we have been talking about. Could you describe to me how you know when the browser is closed. Your second code example shows a good log-out procedure, but when do you call it?
If the user opens more that one window, will they get booted off if they close one of the windows?
Thanks, Eric
lloydie-t, I like your ideas, I think you are describing something similar to what we have been talking about. Could you describe to me how you know when the browser is closed. Your second code example shows a good log-out procedure, but when do you call it?
If the user opens more that one window, will they get booted off if they close one of the windows?
Thanks, Eric
There is always a sting in the tail. I had to use frames to stop it logging me out every time I went to a different page. So in the header of an invisible frame I have used a bit of javascript to take me to the logout page.
in the body
It is a bit of a shame that I had use frames, but it is working and now allows me to fairly acurately report on usage.
Code: Select all
<script language="JavaScript">
function LogoutSessionUser()
{ window.open('sesslogout.php','','width=200,height=100')
}
</script>Code: Select all
<body onUnload=LogoutSessionUser()>