[digioz]

Goal: Preventing multiple user login using the same username & password from different location (Simoltanous Login)

Options Available:

1) IP Checking: One way to prevent multiple people from using the same account to gain access to a restricted area of a site is to store their IP address in a database table, along with the "time()" they first logged in. You would then have to check the users IP address on subsequent pages against the value stored in the database to make sure that the user is still using the same IP to view the page. If the user has a different IP, we would prevent the user from login in and display a message saying "You are Currently Logged In from Another Location! Please Log from the other location and try again" (or something like that). This check is usually done at given time intervals (say every 5 minutes or so)

Problem with Method: Several Internet Service Providers like AOL, change the users IP Address every few minutes. So this could potentially lock your REAL user out of the system as well.

2) Session ID Tracking: A similar idea to method 1, except that you would store the SESSION ID in the database, and instead of checking the IP, you would then compare the users SESSION ID to verify that the user is still the same user. The advantage of thsi method is that it does not depend on the users IP. Therefore AOL users will not have a problem with this login system.

Problem with Method: Although the SESSION ID is unique for current active user, it can be assigned by server to any other later on. Plus you may have problems with Session ID based login system, if you use a shared Webhost.

3) Boolean Login Field: With this method, you would basically create a boolean field in your database, and set the value to TRUE if the user is logged in, or false if the user is not. Again, to check if the user is still logged in, you would have to use a timestamp like previous methods to see if the user has been inactive for more then a specific period of time, and reset the Boolean database field value to false if the user is inactive (This could basically either mean that the user just closed his web browser and left, or that he took a longer then usual lunch break and forgot about your site).

Problem with Method: The basic problem with this method (as with the other two methods), is that if you set a time period (say 5 minutes) to give the visitor to go to the next page and verify that he is still alive and on your site, if the visitor takes longer then 5 minutes to move on to the next page, he will be locked out of the system for ANOTHER 5 minutes (until the system clears the hold on his account).

THE QUESTION:

Here is my main question about this whole issue. Is there a better way of performing this task that will not require the setting of a time interval to see if the user is still logged in? IS THERE A GOOD SOLUTION TO THIS ISSUE???

ANY Comments would be appreciated.

[nekeno12]

Use mysql to store you sessions, and upon a new login, check the session table to see if the username already exists.

If so, then you deny access.

Simple and safe.

[nekeno12]

I actually built a session file analyzer for my system. It actually parses through all the session files in /tmp directory, breaks down the session data and performs the tasks it needs to.

The positive in doing it this way is not having to build your sessions in mysql.