Prevent user login from 2 different pc's at same time

vikaspa · 2009-11-15T15:21:57+00:00

Hi Can I avoid / prohibit / stop Login of same user id and password from 2 different PC's at the same time Please how can i do this using PHP and MYSQL

Prevent user login from 2 different pc's at same time

vikaspa

Can I avoid / prohibit / stop

Please how can i do this using PHP and MYSQL

Atli

Hey.

You could add a DATETIME field to your MySQL table that keeps track of when the user was last seen while logged in. You could set this to a date in the past when the user logs out. Then, when he tries to log in from another location, you can check to see if he has already been logged in recently.

To make sure he doesn't just close the browsers without logging out, and therefore remain logged in indefinitely, your login code could ignore login entries older than a specific amount of time. (Say; five minutes.)

Also, to make sure the user doesn't lock himself out by doing something stupid, like deleting the session cookie, you can tie the login to an IP address and make that address immune to the time check, thus allowing him always to re-log from the same IP regardless.

For example; a login validation query:

SELECT 
    (   `last_logged_ip` = '{$user_ip}' OR
        `last_logged_in` < DATE_SUB(NOW(), INTERVAL 5 MINUTE))
FROM `user_table` 
WHERE `name` = '{$name}' 
AND `password` = '{$password}'

See what I mean?

vikaspa

Atli;10933934 wrote:
Hey.

You could add a DATETIME field to your MySQL table that keeps track of when the user was last seen while logged in. You could set this to a date in the past when the user logs out. Then, when he tries to log in from another location, you can check to see if he has already been logged in recently.

To make sure he doesn't just close the browsers without logging out, and therefore remain logged in indefinitely, your login code could ignore login entries older than a specific amount of time. (Say; five minutes.)

Also, to make sure the user doesn't lock himself out by doing something stupid, like deleting the session cookie, you can tie the login to an IP address and make that address immune to the time check, thus allowing him always to re-log from the same IP regardless.

For example; a login validation query:
SELECT 
    (   `last_logged_ip` = '{$user_ip}' OR
        `last_logged_in` < DATE_SUB(NOW(), INTERVAL 5 MINUTE))
FROM `user_table` 
WHERE `name` = '{$name}' 
AND `password` = '{$password}'
See what I mean?

I am thankful for the reply

This should work
However as you have pointed out user donot log out and close the browser
He will not be able to login for 5 minutes
Am I correct ?

Atli

Not if you include the IP address check as well.

The last_logged_ip` = '{$user_ip}' part of the query is there to check if this is the same IP address that logged in last time (within the 5 minute frame), and bypass the check if it is.

So if he always logs in using the same PC (given that he has a static IP), then he would always get in. But if he closed the browser and tried logging in on another machine withing the time-frame, he would not get in until 5 minutes later.

You can reduce the posibility of problems like that, tho. Using the JavaScript window.onbeforeunload() event and AJAX you could have PHP reduce the time-frame to a few seconds. (15-30 seems plenty)
That way, if a user that has JavaScript enabled is browsing your web, if he navigates away or closes your page, he has 15-30 seconds to request another of your pages, or he is logged out.

That, coupled with a cookie based auto-login script, would make a normal user stay logged in until he either logs out or another IP address logs in while he is inactive.