Page 1 of 1

dont allow different browser login on same machine

Posted: Thu Jun 04, 2009 6:11 am
by chidge
any pointers on stopping different browser logins on same machine.

Each browser is creating a seperate session,

Ideally I want someone to say login with firefox, then when they login with Ie, and go back to use the firefox login it boots them.

Finding it a little difficult to get my head around - have searched without much avail which tells me that I am looking at this the wrong way.

Thanks

Re: dont allow different browser login on same machine

Posted: Thu Jun 04, 2009 6:49 am
by Paul Arnold
What's your reasoning for having this?
I don't see the benefit.
Intrigued though.

Re: dont allow different browser login on same machine

Posted: Thu Jun 04, 2009 6:54 am
by chidge
really it was looking at various sites i login into in different browers and them logging themselves out.

So If I login to my profile in firefox, and then login to it in IE, I go back to the "other" browser and refresh the page and my profile is logged out.


I wanted to also have this beahviour for my sites but now am wondering how to do this?

I am also sure I have had this working in the past but cant remember how!

ta

*EDIT* not sure If I have explained myself correctly

On a profile on my site I only want the user to be able to login with one browser on the same machine at the same time - how?

**EDIT**
Yahoo lets me login on two different browsers at the same time
Facebook doesnt

hmm is this an issue me thinks?(not if yahoo doesnt do it)

Re: dont allow different browser login on same machine

Posted: Thu Jun 04, 2009 7:00 am
by Paul Arnold
I think what you're talking about is, say if you're logged in somewhere and someone else logs in somewhere else using the same credentials then it logs you out automagically.
Is this what you're after?

If so it should just be a case of logging sessions in a database and comparing them with a session variable that you set when someone logs in.

So say you login, it sets a new session in the database and gives it a random string in say the 'session_id' field and at the same time sets a session variable with the same id.

This id will be changed on each login so say if you try to load a page and the session id doesn't match the database session id you'll be logged out.

Re: dont allow different browser login on same machine

Posted: Thu Jun 04, 2009 7:05 am
by chidge
I wasnt thinking with a db in mind (thinking readjusted) - that sounds like what im looking for, is a db the only way to go with this? Is there not a session call I can make, I suppose not...

Thanks

*EDIT* someone else has just suggested storing the ip in a session - that works for me

http://www.codingforums.com/showthread. ... post824442

*DOUBLE EDIT* No thats not worked

Re: dont allow different browser login on same machine

Posted: Thu Jun 04, 2009 7:19 am
by onion2k
It's about a million times easier with a database. Store the users's session ID in their user record. If you get a request for a page where $_SESSION['user_id'] is 1, but the session id for that user doesn't match the value in the database for user 1 just log them out.

In theory you could do the same by examining all the session files in the session directory, or using some shared memory pool to track people, but that'd be stupid.

Re: dont allow different browser login on same machine

Posted: Thu Jun 04, 2009 7:21 am
by onion2k
chidge wrote:*EDIT* someone else has just suggested storing the ip in a session - that works for me
If 2 people are viewing the site from behind the same NAT'd firewall they'll have the same IP address. So, say someone at Google says to their mate "Check this site out! We should buy it for $50m!", only one of them would be able to view it at a time. Not good.

Re: dont allow different browser login on same machine

Posted: Thu Jun 04, 2009 9:01 am
by chidge
thanks guys

I have gone with a db all working tickedy boo

ta

Re: dont allow different browser login on same machine

Posted: Thu Jun 04, 2009 5:39 pm
by kaisellgren
The sites that log you out for switching web browsers are looking at the HTTP user agent. Basically, when you reload a page (and you are logged in), the script stores your user agent. Now, if you reload a page again and your user agent has changed, you get logged out.

As what comes to IP address locking, it is not wise to tie IPs into sessions. You can, however, tie the IP partly into the session so that the IP can change to a certain extent.

Re: dont allow different browser login on same machine

Posted: Fri Jun 05, 2009 1:44 am
by chidge
For me it was more thinking that i could be doing this without the need for a db my train of thought was locked into this and didnt even consider a database.
I was previously storing the user agent in a session and checking this against the current useragent but this code didnt work for seperate browser as they use different sessions.

Ideally I would like to be doing this without the need for using a db but there doesnt seem to be a way to do this.

I have ended up storing the session_id and user_agent in the db in my new sessions table, I am md5'ing them both so they stay at 32 characters and this seems to be working well for me. I could infact be storing just one of these and actually may well change that now.

Cheers All

Re: dont allow different browser login on same machine

Posted: Fri Jun 05, 2009 2:36 am
by jaoudestudios
This is a common feature on many web applications - it does not allow multiple logins for a single user account simultaneously.

When the user logs in, you should use a unqiue session which you would store in the database & session info, as soon as these dont match you boot out that user.

Re: dont allow different browser login on same machine

Posted: Fri Jun 05, 2009 2:45 am
by onion2k
kaisellgren wrote:The sites that log you out for switching web browsers are looking at the HTTP user agent.
You could test that. Install a Firefox extension that lets you change the USER AGENT string to match IE, then try logging in to an app that only allows a user to be logged in from one browser at a time. I expect most would kick you out even though you appear to be using the same browser (based on the USER AGENT and IP address) because the session ids would be different. If they didn't then I would consider that to be a security problem.

Re: dont allow different browser login on same machine

Posted: Fri Jun 05, 2009 7:44 am
by kaisellgren
The reason why user agents are tied into the sessions so often is the fact that user agents do not change during page loads. So, it helps preventing session hijacking attempts.
onion2k wrote:
kaisellgren wrote:The sites that log you out for switching web browsers are looking at the HTTP user agent.
You could test that. Install a Firefox extension that lets you change the USER AGENT string to match IE, then try logging in to an app that only allows a user to be logged in from one browser at a time. I expect most would kick you out even though you appear to be using the same browser (based on the USER AGENT and IP address) because the session ids would be different. If they didn't then I would consider that to be a security problem.
Yeah, I've tested that quite a lot. I once made cURL to send the session identifier as well as the user agent I wanted and I was logged in (popular websites such as Facebook) as long as I did not change my user agent (or the session identifier obviously). You just need to modify one bit of that user agent to get logged out (in most cases). It's very straightforward process to get into others' sessions. For instance, all I have to do is to get my EEE PC and go to a public wifi and start eavesdroppering. I will get the session identifiers, user agents and everything I want. Then I just supply the same details and I am in. Even if you tie the session to the specific IP, it won't help in this case.