How to reject connection of similar account to database

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
k.wong
Forum Newbie
Posts: 3
Joined: Wed Aug 30, 2006 8:27 pm
Location: Australia

How to reject connection of similar account to database

Post by k.wong »

Hi all,

I don't know if this topic has been around, but is there a way in php to limit the second connection of the same account?
I mean, if I connect to MySQL database with my username from computer A, can the database reject my connection with same account made from computer B, while I am still logged in? or Can php script do that?

Does it sound efficient to insert a new data in database everytime a user logged in and delete that data when he logs out?
What if the user didn't log out, but just close the window, the data will probably be there and when the same user log in the next time, because his data is in db, he will be rejected.
Will the use of php session be any good?

I suppose the record of user logs in database can be used to show how many online user, is that what actually happens in most forum website?

Thanks for answering.....
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Re: How to reject connection of similar account to database

Post by feyd »

k.wong wrote:Hi all
Image
k.wong wrote:I don't know if this topic has been around, but is there a way in php to limit the second connection of the same account?
Yep, it's been talked about with similar terms to have you've used, so a search may turn up a few instances.
k.wong wrote:I mean, if I connect to MySQL database with my username from computer A, can the database reject my connection with same account made from computer B, while I am still logged in? or Can php script do that?
Yes, PHP can do it. The question usually is why should the pages do it?
k.wong wrote:Does it sound efficient to insert a new data in database everytime a user logged in and delete that data when he logs out?
Depends on the implementation, but it can be just fine.
k.wong wrote:What if the user didn't log out, but just close the window, the data will probably be there and when the same user log in the next time, because his data is in db, he will be rejected.
Will the use of php session be any good?
Sessions would still be the primary information propagator, so yes.
k.wong wrote:I suppose the record of user logs in database can be used to show how many online user, is that what actually happens in most forum website?
If I understand you correctly, yes.

The general way of implementing such a "feature" is to either forcibly kill the old session allowing the newest session to become the primary or disallowing secondary logins until enough time has passed since the previous session has been used. For the latter, the time break is generally fairly small to keep from annoying users too much. Five minutes seems to be familiar to my thoughts regarding this.
k.wong
Forum Newbie
Posts: 3
Joined: Wed Aug 30, 2006 8:27 pm
Location: Australia

Post by k.wong »

Hi feyd,

Thanks for replying so prompt
feyd wrote: The general way of implementing such a "feature" is to either forcibly kill the old session allowing the newest session to become the primary or disallowing secondary logins until enough time has passed since the previous session has been used. For the latter, the time break is generally fairly small to keep from annoying users too much. Five minutes seems to be familiar to my thoughts regarding this.
Regarding the second choice, do you mean by setting the session active time to 5 minutes, can I confirm with you, do I have to change this setting in php.ini? is it session.cookie_lifetime or session.cache_expire? or none of them?

If I do it this way, i.e. storing session data to db, count the number of records and treat it as number of online users, how can I keep it in real time, so when one user log out, the record will be deleted, the display on the front end will show the updated number of online users? Do i need something like meta refresh?(html)

Cheers

K.Wong
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

k.wong wrote:Regarding the second choice, do you mean by setting the session active time to 5 minutes, can I confirm with you, do I have to change this setting in php.ini? is it session.cookie_lifetime or session.cache_expire? or none of them?
No changes to the session settings are done. What you do is store the last time that session was used (i.e. a page was loaded with it) somewhere. When a new session is attempted under that user, you compare the last access time for that user, if long enough allow the login, otherwise deny it in some fashion of your choosing.
k.wong wrote:If I do it this way, i.e. storing session data to db, count the number of records and treat it as number of online users, how can I keep it in real time, so when one user log out, the record will be deleted, the display on the front end will show the updated number of online users? Do i need something like meta refresh?(html)
There is no way to keep the data realtime, so don't worry about that. Yes, if a user logs out you can delete their session data from the entries thus clearing them from the online list.

Most systems that I've seen operate in a somewhat similar fashion when holding the session data (in part or whole) in a database and trying to show online users: the number of users considered online are only those users (anonymous or logged on) that have been "active" within the last x minutes. While the other sessions may be considered logged in, if they are "stale" they aren't counted in the online list.
k.wong
Forum Newbie
Posts: 3
Joined: Wed Aug 30, 2006 8:27 pm
Location: Australia

Post by k.wong »

Thanks feyd

This should be enough for me to start building the system....
You really open up my mind.....
Post Reply