Username / Password monitor

8mycsh

I have created a php login script with sql database but I want it to automatically monitor visitors with the same username/password. If the configured limit is reached, the account is disabled instantly.

How do I go about doing this? Can someone help me or point me to an area where I can learn this.

Thanks

Weedpacket

Depends partly on what "configured limit" means. But whatever. If there is some resource (logins, posts, or whatever) that is limited for each user, then you can keep a field of how much they've consumed in their record in the user database.

Every time the user tries to do something that would consume some of the resource (log in, post, or whatever), check the field to see if they've reached their limit. If yes, disable the account (log them out with a message saying why). If no, note their consumption in the record.

8mycsh

What I am trying to do is have a password /username restricted area. And the "configured limit" means that they can log in once at a time......for example:

Joe logs in with his username and password
Joes info gets out in the world and Bob has it now.
Bob then trys to log in with joes username and password.
I am trying to control the amount of people trying to log in with the same user name and password.

Does this make sense?

Weedpacket

So you want to prevent having two people logged in with the same username/password simultaneously?

8mycsh

That is correct!

daveyboy

liverpoolfc.tv uses the same technique.

they have 2 sets of cookies - normal login and a security token. the security token is set to expire after 24 hrs and their server keeps the token for 24 hrs, too. if you try to login and the server finds a token for you already in its db, it rejects the login until you logout from the other pc first, or wait 24 hrs.

i reimplemented the system for myself, though i don't enforce one login per user - i just use it to allow users to log in transparently, without storing passwords in cookies.

i use a random md5 token for the security cookie and save this in my db table "securityhashes". whenever a user logs in, the script first removes old tokens, then looks for an existing token for the user. If the user's cookie matches the token, he is logged in without having to enter a password or username (in another cookie). instead - or as well as - autologin, you could turn the user away if the db has a valid token, but the user does not. just remember to delete the token from the db when the user logs out.

8mycsh

Ok, about these tokens, is there a website I can look at to help develop these security tokens?

I am kinda following what you mean but I would like some help if it is possible....maybe a website or some directions on how to do this would be great.

Thanks