Pevent user from using the same account

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
jlising
Forum Commoner
Posts: 33
Joined: Mon Mar 19, 2007 1:48 am
Location: Pampanga, Philippines
Contact:

Pevent user from using the same account

Post by jlising »

Hello!,
I have an application written in PHP and Javascript.

How do I prevent the users from logging in if the user is already logged in? This is to prevent the users from using same account at the same time.

Thanks!
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

Simply.... when the user logs in, turn on some flag in your database. Let's say, add a new field to your database: online. When someone tries to log in you check if this flag is "on" or "off", if it's "off" you log him in and change it to "on"; if it's already "on" you give him an error message and you don't log him in.
User avatar
jlising
Forum Commoner
Posts: 33
Joined: Mon Mar 19, 2007 1:48 am
Location: Pampanga, Philippines
Contact:

Post by jlising »

Thanks!
I made a flag field 'online'. This field is marked 'on' every time the user logs in. My concern is, what if the user does not log out properly instead he/she close the browser. I believe the value of the 'online' field will be orphaned with value 'on'. So, the next time the user wants to log, an error message will appear.

Is there a way to prevent this kind of situation? Can I restrict user from improper logout?
User avatar
Kadanis
Forum Contributor
Posts: 180
Joined: Tue Jun 20, 2006 8:55 am
Location: Dorset, UK
Contact:

Post by Kadanis »

There's no way to prevent an improper logout, as you can't stop them from just closing the browser. You could also record a last action time stamp and use that along with some logic to say if they haven't made an action in 15minutes, then log them out automatically.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

I find it's best to store the session data in the DB, set a timeout and just look for an active session. Rather than denying the login, you can just kill and exisiting sessions so that the most recent one takes over.
User avatar
jlising
Forum Commoner
Posts: 33
Joined: Mon Mar 19, 2007 1:48 am
Location: Pampanga, Philippines
Contact:

Post by jlising »

Okay, I will just kill the first login session instead of denying the last one who tries to login. But I hope I can find the best solution in this issue.

Thank you guys!
Post Reply