Restricting website login access

dcjones

Hi all,

I have a website which uses a user accounts to access the content. At the moment all that is required is the "username" and "password" to match those stored in an SQL table.

What I would like to do is restrict login accounts being used more than one at the same time. I did read somewhere that using the function "unquie_id" would the place to start but for the life of me I can't remember where I read it. I have looked through the formun for some pointers and did some Googling with no result.

Can anyone point me in the right direction to how this can be done.

ixalmida

What are you trying to accomplish? Are you trying to prevent session hijacking?

If you're concerned about session hijacking, you could store the session_id and IP and check it against the most recent IP address to see if the IP has changed. Then you can force the user to log in again if the IP has changed. This would be fairly effective against session hijacking. The only downside to this is when a user's dynamic IP renews, but that's usually not more than once a day.

On the other hand, carefully validating and cleaning user input can also prevent session hijacking. It's also often a good idea to force the user to reenter their credentials whenever they access a higher security area, such as user information areas.

dcjones

Hi ixalmida,

Many thanks for your reply.

What I am trying to do, I have a site which requires users to have a valid username and password to gain access. I would like to be able to prevent account sharing.

i.e, if username "johndoe" is currently logged in then no one else can use that login until "johndoe" has logged out.

Is this possible?

Again, many thanks.

foyer

You could have a column in your database user table for instance, LoggedIn. When someone logs in, this columns is updated to 1 and when they logout it is changed to 0. If someone tries to login while the LoggedIn is "1" then it will reject them. Problem, if the user doesn't properly logout of the script, it will remain as a "1" in the database. You would need to use sessions (logged in the database) to track if the user is still on the website (Set a session variable to the date/time at every request), and if they have been inactive for X minutes, change this column back to 0.

Just a thought

Krik

foyer wrote:
You could have a column in your database user table for instance, LoggedIn.

While that would work it is best to avoid modifying a table unnecessarily. Especially such a key table as user login info.

ixalmida's suggestion would work. You will just want to use a separate table and you wil need to add a time stamp to that table and then check it to see if a user has a recently (you define recently) logged in under a different IP.

Also you can create a unique id to be stored in a $_SESSION variable and in the database, each time they login. And each page load just check it against the current one in the database for that account. Of course don't ever allow 2 entries in the database with the same user id.

Now you do have one small problem in that account sharing may still occur if both are not logging in at the same time. It should be noted that multimillion dollar companies can't stop account sharing.

johanafm

Another approach would be to log out a logged in client when another client logs in on the same account. That way, if I don't log out in one browser and starts using another browser (on same or other computer), the previous logged in session won't work anymore, but I still don't have to wait N minutes or hours before I can log in someplace else.