One user logged (per username) in at a time

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

One user logged (per username) in at a time

Post by Luke »

How would you make sure that people can't log in on two different machines with the same username at the same time?
jamiel
Forum Contributor
Posts: 276
Joined: Wed Feb 22, 2006 5:17 am
Location: London, United Kingdom

Post by jamiel »

On what scale is the site? You could put the Username in the session, then search your Session directory on the server on each login attempt for any matches. You would need a really short timeout however so as not to annoy returning users.

This solution will become impratical with thousands of users however.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

is this even a necessary security precaution?
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

I can't think of a large site that I have seen use it.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

Funnily enough, Porn sites use it to determine if someone is account sharing (or if it has been hijacked)

My best guess would be Session ID (assigned to username) and IP comparison.

If account 'x' logs in, is using IP 42.234.56.12 and is assigned a session id of '123'

Within a few minutes, 'x' logs in again with IP 89.345.21.22 and has to have a new session id..

What is the likely hood of them being the same person?
mu-ziq
Forum Newbie
Posts: 11
Joined: Fri Jul 08, 2005 9:42 pm

Post by mu-ziq »

You could store PHPSESSID of each successful login inside DB table associated with that user and check it on each page load. Every new successful login will rewrite PHPSESSID DB value thus rendering previous login useless.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

You could have a flag in your authentication table which is set upon successful login. Hook into your session table and determine when a session is removed and clear the flag at that point...

It'll be cleared either explicitly when someone logs out or when a session expires...

Not sure if it's nessecary, but I've used it as a technique before...

Depends on the data and your audience...

Porn for instance, is a valuable commodity...as in it makes good money, but the users are likely shady enough to attempt dual usage on a single account...

So in that case, it makes sense...

Programming communities like this, not so much...if someone has your password your in trouble and should change it ASAP, concurrent usage though doesn't really pose a problem...
Post Reply