Best way to implement UNIQUE login?

enterume

Hi,

What is the best way to implement the unique login control.

I have a idea, which is everytime the user login, will create a unique Key[$UKey] (randomly generated) and save into db. So everytime the user read any link/page , i will use this key to match the $UKey with the db record. In additional, I will check if within 3 minute if anyone try to login with different $UKey, the system will treat it as concurrent access happen and stop the login. That's fine and it work.

Now, let say the user close the page OR disconnect , and relogin, the problem rise:

---> user will not able to login within 3 minute since the new $UKey is not match withthe new $UKey.

So what i think is:

1) create a cookie which last for 1 hour for the $UKey, so as long as the user using the same pc, so able to use this $UKey when doing verification, prevent from 'deadlock' happend for 3 minute if the user didnt' logout properly.

2) OR other better solution?

MrAlaska

What if the wrong guy logs in first? I have seen systems that lock an account if too many bad logins are attempted, but I can think of no purpose locking an account because the user changed browsers or something but still knows his password.

Maybe I don't understand what you are trying to achieve.

I assign a unique identifier if they log in, then if they log in again with a different identifier I kill the old session and start a new one.

enterume

The purpose of this Unique login is implement in a paid service website to read news from the publisher.

How you actually store the session even if the user close the browser or disconnect? you use cookie to store at client site for certain time?

Thanks
Louis

MrAlaska

I store the session data in a MySql table, then store the unique ID on the client using a temporary cookie, or inject it into the URL if the client does not accept the cookie, pretty much the same as $SESSION's do except $SESSION's use a file based system.

If the user closes their browser, they will need to start a new session and log in again if they were using cookies. If they were NOT using cookies, they could concievably return before the session times out by returning to a URL that had the session data stored or backbrowsing to a cached page that had the session ID stored in a form input.

It would be a simple matter to store the session ID in a persistent cookie, they would still need to pass validation against their environmental variables to keep the session valid.

Whatever the case, the session is timed and controlled completely on the server side, the only info kept on the client is the session ID.