how to prevent 2 people loging into same account

slimjim

How can I prevent 2 people from logging into the same account, either at same time or different times.
Now recording ip addess isnt good cause of like aol which changes ip address

Any help would be great

laserlight

I think that it is enough to use appropriate user authentication and educate your users on the importance of keeping their login credentials secret.

slimjim

What I am trying to do is stop a person from sharing this account with another person.

Piranha

You can't. As you already says ip addresses could be changed. But so can MAC addresses. And everything else that the computer let you know about it.

But the question is if you would want to do it. What could be important enough that you want it? Of course you should use SSL if it is nearly that important, but is it enough with SSL? What if someone changed ISP? Or bought a new computer? Or just want to log in from work once? And what should happen if someone tries to do any of that, should you lock the account? How would they have to prove that they are the same person if they have changed something? If you managed to do this you would simply make it impossible to maintain the system.

slimjim

Well the problem is the cookie, when a person joins the system, they have a cookie, which lets them do certain thing, problem is if someone else logs into their account they may share, that person too will get the cookie, which I really do not want to happen.

laserlight

Wait: are you trying to prevent malicious sharing of an account (i.e., account hijacking) or to prevent users from sharing accounts even when they intend to?

Piranha

Sorry to say, but if you use cookies you have lost that battle already. Cookies are very easy to copy, so even if you stop another person from getting the cookie directly from the site it is possible to manually place it at the other persons computer.

slimjim

so do you have suggestions at all ?

slimjim

what about storing a session id and how to go about doing that even.

laserlight

Answer my question, please. If you are trying to prevent users from cooperating to share an account, I would say that the chief problem is deciding how you know that a person is who he claims to be.

slimjim

I dont know if this is happening, I want to prevent it in any way I can.

Piranha

Yep. Answer laserlight's question, it is possible that he have some suggestion. He is defenetley more experienced in PHP than I am.

My answers is from the point of view that you don't want people to share accounts when they intend to, if that is the case I really can't see a way to do it. If you don't want malicious sharing then you can store the ip, session id and time for the last hit in a database, and then compare with that next time a person tries to do something. All other information should be stored in the server, preferably in a database, to avoid others getting the information.

You should use SSL as well to avoid people listening in on the traffic.

But as I said above, listen to laserlight, he might have another idea.

laserlight

You could deter concurrent use of an account by generating a random access key on each page load. So, if another person attempts to use the account, his/her own page load would generate a new access key, effectively logging the first person out.

As for use of an account at different times: possible, if you are doing this for a company able to issue biometric access cards to users. That way, even if employees share login credentials, they have to duplicate biometric information in order to login as another user.

Piranha

Exactly WHAT do you want to prevent?

slimjim

I have an area I dont want access to by everyone other then a member, but I think what I can do is, when they try to access an area, a random code will be emailed to the correct member, when that member gets it, he enters it into a form and if correct then gains access.
I would think the member wouldnt want to keep getting emails if they did share login information .

What do you think ?

laserlight

when they try to access an area, a random code will be emailed to the correct member, when that member gets it, he enters it into a form and if correct then gains access.

That is effectively an access code that is generated, except that now instead of being generated on each page load, it is generated on each login.

Now, what happens if the user shares his/her email account with another user? That other user can then obtain the generated code and login when the actual account owner is not logged in.

slimjim

wow seems like everything is impossible one way or another...

laserlight

That is what Piranha pointed out :p

The fact is that cooperation between users is difficult to beat, especially when you have no control over the system your users use and how they can connect to the network.

slimjim

Wonder how much time coders put in just trying to protect against crooks online.
My guess alot..

Piranha

Actually I know only two ways to be pretty secure against it.

You as a administrator have to stand behind the user to make sure that he is who he says he is. Of course this is unrealistic.
You force everyone to have a webcam and a microphone. When a user logs in he have to send video of himself from the webcam and he have to talk as well. This should be sent over SSL to make sure that noone else can use the stream later on. Then an administrator have to sit in the other end and validate that it is the right person, by comparing with information in the database. Of course this is unrealistic as well.

But doing it automatically, especially without sending the user something in snail mail (one-time codes for example) is, as you said yourself, impossible in one way or another.