Session Verification with IP Address??

NoFear

Greetings,
I need to verify a user's session not only with their username, but also by their IP address. I need to make sure that a user is only logged into one location at a time, and if the log into another location, they get sgined off of the first location.

Any ideas??

JDcrack

If you are using a database, you could setup a sort of tmp table,
where when someone logs in, it puts thier username or id into the tmp DB and thier $REMOTE_ADDR and $SID as well.

Then as part of the login script, check the tmp DB for that username/id and if $REMOTE_ADDR does not match, then kill $sid, remove first entry from tmp DB and replace with new login info.

I am sure there are better ways to do it, but I have not had my caffine yet, and this should at least get you on the right track.

NoFear

I thought about doing it like this, but at the same time I'm trying to minimize hits on the database. I'm already doing verifications on the database every screen anyway.... any other possibilities, maybe??

JDcrack

If you are already using a DB for user authentication, I think this is a pretty good way to go.

You might be able to do something with .htaccess, but thats a long shot.

I can't think of another way right now, but I'm sure there is another more creative mind out there, just itching to take on this problem 🙂

NoFear

Hmm... interesting. Actually, the only user authentication I'm doing is right away at log in. After that, it's registered sessions the whole way. Their userId gets registered, as well as the essential variables. So basically, I'm not doing ANY user authentication on each page.

I originally did this because I wanted to reduce hits on the database.

JDcrack

OK, since you are already running a DB query for user auth, at login, why couldn't you add the above suggestion to your login script? So the DB hits all take place from just the one script?