prevent multi login at the same time by the same user

yahelb

I want to prevent multi login at the same time by the same user.

when a user load my site i start a session array.

after the user is login i set $SESSION["id"] with his user id.

how can know who else is logged in or are there ather any suggestions ?

yahel

raymie

There is no foolproof solution to knowing who is logged in.

A common solution is to populate a database table with the user id and the last time a page navigation was made and to assume that the user is still on the page (and logged in) until a certain time has passed.

This should be easy to add in but would not actually help stopping a user logging in twice.

Perhaps you could store the session_id on the table as well and terminate the session for one of the users when you find that they have two current entries on the table with differring session_id values.

You would have to be carefull however since the user may have exited the browser and then reloaded it again and re-logged in within the timeframe you apply to determining inactive users.

shaitan

Hi,

I store my sessions in a database as opposed to the /tmp folder or default on the web server, which makes this a pretty easy fix as all I do once the user has logged in sucessfully before creating any sessions variables, is to simply delete any entries in the session table which match his user id.

This has the effect that the other person providing you are using security checks on every page, and if they dont have a valid userid contained within the session, they are brought back to a login page.

Hope this makes sense.

Shaitan

yahelb

I have a problem when a user leave the system without logout..

such as closing the window ..

tomarius

Hi
I have a problem when a user leave the system without logout..
such as closing the window ..

then session distroy himself

yahelb

tomarius thanks for answering...

lets go throgh the problem ...

1.user is login into my website
2. i put his user id in the database as logged in user
3. the user is close the window (in the db the user is still login)
4. the user come again and try to login but in the db i see that he is logged in so i dont give him the access.

accually this user will never login again without changing the db handly....

tomarius

sorry 🙁(

now

U must to make an update (time) on a loggin user database whenever the user he move to the web site....
if (time() - time (from databse)) is more than 5 minutes (or what u want) U must to delete the user from database

I belive U understand what I say....

Originally posted by yahelb
tomarius thanks for answering...

lets go throgh the problem ...

1.user is login into my website
2. i put his user id in the database as logged in user
3. the user is close the window (in the db the user is still login)
4. the user come again and try to login but in the db i see that he is logged in so i dont give him the access.

accually this user will never login again without changing the db handly....

yahelb

Well tomarius

this is a fine idea, i can use it but still it does not give me 100% success.

cause if the user will close the window, and then in the next 5 minuts try to login he wont success.

jeremuck

are you sure it's absolutely important that the user can't be logged in twice?

what is your reasoning for this?

yahelb

important ?

no its not important like everything else on this planet ...

its one of the requirments from the web site ..

even in this website:
http://www.phpbuilder.com/board/forumdisplay.php?forumid=2

the webmaster can know who is logged in and when .

jeremuck

uh... on this website, users can be logged in multiple times...

I'm logged in on about five machines this very moment.

yahelb

so ...

i'm not trying to make another phpbuilder!!

im just saying that this is passible and i dont find a way to make it

jeremuck

what I'm saying is the reason you need to allow users only one login will determine how you implement it. You still haven't told us.

yahelb

the reason is not important.

do you have any suggestions for me at all ?

RobNewYork

I don't use PHP's built in session management. Instead, I wrote my own routines that do the following:

1) Initial URL goes to the login screen.
2) When user logs on, validate userid and password. Store Userid, IP ADDRESS of client, and current/date time in a table somewhere that has a unique ID number (ie, the session cookie)
2a) Before doing #2, validate that no entries exist in this session table for the userid that is trying to logon. If one does exist (and has not timed out), I invalidate the OLD session and allow user access.

3) Send the new session cookie to the client

Now, with each page movement, call a routine that:

Validates that the session ID (ie, cookie) still exists in the database and that the date/time is within your timeout limits.
Validate that the IP address of the client matches the IP address in the database
Update the date/time for this access.

You can also pass the userid as a cookie as well for a third check in #2 above.

Any failures should redirect to login screen.

So, if the user exits their browser, they'll loose the session cookie.

Moreover, if the same user tries to logon again, #2a will be invoked. You'll have to determine the business rule of whether a) They're allowed in and their old session is terminated or b) They're bounced until their old session expires.

Hope this helps.