Disallowing Simultaneous Logins

xenlab

I'm struggling with a how to develop a way to only allow a user to be logged in only once to my application. Both from the same machine (two diff browser windows) OR from two different machines (user/pass sharing).

Obviously I would need a db flag (user_logged_in or some such thing). And it's easy to limit my select user query during login by asking if the flag is set to true, and if not setting to true after I load the user's record.

And in a perfect world, they would all explicitly use the log out button, and I can tidy up and set the flag back to false for the next request on this record. The conditions I can't figure out how to compensate for is If they just close their browser window AND when they surf away from the application by visiting a link, favorite place, or type a new URL in the address bar.

Any Ideas on where to start thinking / looking 😕

planetsim

There are many things in for this to happen.

Firstly recording the IP Address as it wont change unless they logoff there service or they somehow change it.

Secondly record a cookie although this will only work on one browser it should just be used to track

Thirdly create a session.

Than with all that create a table called online or something similar, insert that data and individually check each bit to make sure they are not simultaneously logged in.

There will be more to add to it but that should be good for a start

xenlab

so by checking individual bits do you mean like say the date/time they logged in? and if say it's over 30 mins or an 1 hour or something let them in, but if under that time limit disallow the login? something like that?

While that is definately an approach I hadn't thought of yet, I'm still wondering how that will address my need for when they leave the site, their session dies and the user want to log back in right away?

thanks

superwormy

Set a timeout for how long a user can be logged in without visiting any pages.

Also, DO NOT use their IP address, this can cause TONS of issues. AOL uses very strange proxying, so one persons browsers requests can get proxied around and come from several different IP addresses, even though its the same browser, same computer, same connection, same time, etc.

Not to mention the problems you're going to give a company / someone behind a firewall / router or regular proxy server.

Theres really no way you can limit it to one browser being opened on a particular computer, short of something client side ( java, javascript, activex, etc. )

xenlab

Set a timeout for how long a user can be logged in without visiting any pages.

PHP is set up to kill sessions after 20 minutes of inactivity, but that's in the INI file.

Or do you mean more programatticaly?

bunner_bob

I've got something like this set up on a site I'm building. When a user is logged in, their user id is put into a session variable. Then every time they reload a page, the database table containing their user id is updated:

$datenow = gmdate("U");
mysql_query("UPDATE users SET lastaccess='$datenow' WHERE name='" . $_SESSION['this_user'] . "'");

Also, in the head of each page I have:

<meta http-equiv="refresh" content="900;URL=index.php?logout=auto">

which will automatically log them out if they walk away for 15 minutes.
Then when they attempt to login you just have to compare the current "$datenow" with the "lastaccess" field in their user record to determine whether they should be able to log in or not.

I'm using it for a slightly different purpose. When a user edits some content, their username is automatically entered into a "locked" field in that content record. So if I'm 'Bob' and I'm editing something, and you're 'Rob' and attempt to edit it, it won't let you do it. Once an edit is complete (SQL is submitted), the "locked" field is set to 'null'. But if I forget to complete the edit and walk away (and get logged out automatically), the 'locked' field will still say 'Bob'. But it'll let 'Rob' in as long as his attempted access is more than 15 minutes since 'Bob's last access. Which allows Bob to forget to log out and still lets others access the record.

Probably more than you needed 😉