Restricting Multiple Logins

cistate · #1 (**permalink**) 12-05-05, 07:51 PM

Can anyone suggest the best way to stop a user logging into a web site from 2 different machines at the same time (i.e. probably sharing their account info with some one else). I'm a little confused about this...

Keith · #2 (**permalink**) 12-05-05, 08:48 PM

You could grab their IP address when they log in and keep it on record for so many seconds or minutes. Then search that table for an IP address corresponding to that login info with each page load.

Then if someone logs in and that user account already has an IP address on record, and it's different, lock them out.

cistate · #3 (**permalink**) 12-06-05, 11:19 AM

What if they are accessing site via a proxy server from behind a company firewall? Won't we only be able to grab the ip of the proxy server and anyone at that company would appear to have the same ip?

UnrealEd · #4 (**permalink**) 12-06-05, 11:27 AM

i thnik what keith said is the only solution for your problem. I can't think of an other way to check for multiple login.

Why do you need it this badly (that proy-server stuuf)? is it that important for your website?

Greetz,
UnrealEd

cistate · #5 (**permalink**) 12-06-05, 11:43 AM

UnrealEd, I've been working on a reporting tool for a database we have that is aimed at certain types of company not individual home users. Companies usually restrict direct access to the outside internet, and make their employees go through the company proxy. I've been told that I have to restrict access, and an individual company may have subscribed for maybe 5 seats (that would be 5 individual usernames and passwords), so I'm trying to figure out how to know if more than their alloted number of users are trying to access the site if I can't tell their individual ips apart...

UnrealEd · #6 (**permalink**) 12-06-05, 12:02 PM

i don't know much about proxy servers (maybe the employees have the same ip), but can't you just make a list of the allowed ip's, because you said they have to login via the company?

The script will be running on the company's server, i think, right?
Can't you read the proxy-server ip list through some script? that way you have a list of allowed ip's.

Keith · #7 (**permalink**) 12-06-05, 02:52 PM

Yes, a proxy will give everyone on the inside their own local IP, but past the proxy the public will only see one IP.

Why not start a session and store the session variable in the database rather than their IP address. Then from there it's all the same, though you'd compare session variables rather than IP addresses. Even behind a proxy, session_id() will always be different per user.

digioz · #8 (**permalink**) 12-06-05, 11:01 PM

I posted this a while ago asking this very same question. I didn't get too many answers to my question, but here are the options I found:

Goal: Preventing multiple user login using the same username & password from different location (Simoltanous Login)

Options Available:

1) IP Checking: One way to prevent multiple people from using the same account to gain access to a restricted area of a site is to store their IP address in a database table, along with the "time()" they first logged in. You would then have to check the users IP address on subsequent pages against the value stored in the database to make sure that the user is still using the same IP to view the page. If the user has a different IP, we would prevent the user from login in and display a message saying "You are Currently Logged In from Another Location! Please Log from the other location and try again" (or something like that). This check is usually done at given time intervals (say every 5 minutes or so)

Problem with Method: Several Internet Service Providers like AOL, change the users IP Address every few minutes. So this could potentially lock your REAL user out of the system as well. There are also some problems with Proxy Based connections.

2) Session ID Tracking: A similar idea to method 1, except that you would store the SESSION ID in the database, and instead of checking the IP, you would then compare the users SESSION ID to verify that the user is still the same user. The advantage of thsi method is that it does not depend on the users IP. Therefore AOL users will not have a problem with this login system.

Problem with Method: Although the SESSION ID is unique for current active user, it can be assigned by server to any other later on. Plus you may have problems with Session ID based login system, if you use a shared Webhost.

3) Boolean Login Field: With this method, you would basically create a boolean field in your database, and set the value to TRUE if the user is logged in, or false if the user is not. Again, to check if the user is still logged in, you would have to use a timestamp like previous methods to see if the user has been inactive for more then a specific period of time, and reset the Boolean database field value to false if the user is inactive (This could basically either mean that the user just closed his web browser and left, or that he took a longer then usual lunch break and forgot about your site).

Problem with Method: The basic problem with this method (as with the other two methods), is that if you set a time period (say 5 minutes) to give the visitor to go to the next page and verify that he is still alive and on your site, if the visitor takes longer then 5 minutes to move on to the next page, he will be locked out of the system for ANOTHER 5 minutes (until the system clears the hold on his account).

THE QUESTION:

Here is my main question about this whole issue. Is there a better way of performing this task that will not require the setting of a time interval to see if the user is still logged in? IS THERE A GOOD SOLUTION TO THIS ISSUE???

php~pro · #9 (**permalink**) 12-07-05, 04:00 AM

Could also use a session, so if it already exists you are redirected to another page or produce an error message.