473,730 Members | 3,684 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

REQ Been racking my brain trying to figure out how to prevent multiple login with same username

I've searched google intensely on this topic and it seems noone really knows how to approch this.

The goal I don't want clients to give out their usernames and passwords to friends, since the site
relies on subscrption fees.

Sessions ID's are matched between the browser and the server. So a users can login with same
username and password and those sessions are tracked individually.

Some suggest create table fields with the session ID and a time stamp. However my clients can spend
alot of time on a page and I don't want to force them to re-login, would be annoying.

On the other hand, some clients do not logout properly and sessions open active and/or a script that
runs the timestamp does not clear that field. Then the next they login the stamp reads that they are
active and will not allow them to login.

I'm an experienced PHP programmer yet this task has got me going in circles. Everytime I think I
have a method worked out - there is a reason why it won't.

The approach I'm considering now is to grab and loop all the server sessions username values - then
compare those values to a flaged "logged-in" field from the user table. That way if a flag is
negative I will allow the user to login in and create a session and flag that field. If a session
does not exist then the flag is cleared. I would run the cron 10 minute intervals. If I find 2
sessions with same username I unset both - then fire off an email to the client reminding them
multiple logins are a bad thing

Does this sound right? Anyone else have a better idea?

Feb 9 '06 #1
18 3395
Gleep wrote:
Some suggest create table fields with the session ID and a time stamp. However my clients can spend
alot of time on a page and I don't want to force them to re-login, would be annoying.


Sun Microsystems' webpage uses a popup with "your sessions is about
to expire, extend it?". Then you have a couple of minutes to click
"extend" to keep your session alive. If you don't, the session
eventually times out. Perhaps that's one way to go.
Feb 9 '06 #2
If i got it right, what you want is to do that if users dont update
their session e.g. in 20 minutes, the session will be terminated. But
if the session exists in the database, you will simply disalow any
other sessions with the same username, right?

Simply, run cron for each 5 minutes to execute the php script that
would check everything. When user logins and each time they erquest the
server, update the mysql table saying time() + 60*10 ( 10 minutes ).
So if the script that is being executed by cron finds that the
expiration time has ended, the session is destroyed!

They wouldnt need that expiration mesage because the expiration time
would be automatically updates ( + 10 minutes for each request )

Also, there is a big disadvantage in all of this - users can have their
cookies disabled and then you'd get a big amount of sessions created in
your database... so you'd be dead because of that.

Just when users are logging in, in the login page set a cookie
$_COOKIE['do_login'] = true; and when user requests the actual login
page, where all the info is sent - the $_COOKIE['do_login'] should be
checked. If it is not, then simply say that Cookies must be enabled! :)

I might have confused anyone who is reading but figure it out then!

Good luck on your site!
Thanks!

Feb 9 '06 #3

Gleep wrote:
I've searched google intensely on this topic and it seems noone really knows how to approch this.

The goal I don't want clients to give out their usernames and passwords to friends, since the site
relies on subscrption fees.

Sessions ID's are matched between the browser and the server. So a users can login with same
username and password and those sessions are tracked individually.

Some suggest create table fields with the session ID and a time stamp. However my clients can spend
alot of time on a page and I don't want to force them to re-login, would be annoying.

On the other hand, some clients do not logout properly and sessions open active and/or a script that
runs the timestamp does not clear that field. Then the next they login the stamp reads that they are
active and will not allow them to login.

I'm an experienced PHP programmer yet this task has got me going in circles. Everytime I think I
have a method worked out - there is a reason why it won't.

The approach I'm considering now is to grab and loop all the server sessions username values - then
compare those values to a flaged "logged-in" field from the user table. That way if a flag is
negative I will allow the user to login in and create a session and flag that field. If a session
does not exist then the flag is cleared. I would run the cron 10 minute intervals. If I find 2
sessions with same username I unset both - then fire off an email to the client reminding them
multiple logins are a bad thing

Does this sound right? Anyone else have a better idea?


Sorry, the email doesn't sound good to me. This would confront the
client with a 'flaw' in the system. I don't have a solution for your
problem, but this solution doesn't solve it, only moves is around. The
user might even not know there are multiple logins ...
Prevent multiple logins on 1 account by not letting more then 1 login.

How about setting a fla in the DB -> userid, session id, and timeasking
them if they want to stay logged in. If no-one answers the popup,
refresh the page at e.g. 15 minutes.
If they do reply reset the flag's timestamp.
If a timeout is after 15 minutes, and user is logged in, but closes the
browser without logging out, the account would be max. 15 minutes
unavailable for the same user. You *could* remind the user (on next
login e.g.) that leaving without logging out is a bad thing ...

Frizzle.

Feb 9 '06 #4
How about scenario like this ..
If user A is login into the system, the database write the use log,
userid, timestamp, blah blah ... and the when user B login with the
same account the system automatically do the logout action for the user
A and tell him what's happened (like "dude, some other user is logging
with your same account") ... then we give the user chance to re-login
and kick user B plus protect user A from kicking ...

Humm ... my english is suck ... I can't give clear explanation ... but
I hope you get the idea ...

About cron, I think that wasn't bad idea ... user should know about the
session expiration in the Term of Service. If they agree with that ...
I think it is OK ... plus, we owned the site and what we do is simply
to protect them, right ...

Feb 9 '06 #5
since preventing 2 or more people to login as a same user is practicaly
mission impossible (since, for instance, i can login to your web from
home or from work, thus having 2 different login locations), i think the
best idea is to force users to logout after the're done browsing, or you
could logout them when they leave the page (onunload event, or
something like that), thus, making it impossible for another person to
login as the user that's already logged in.

I know this is not a revolutionary idea, but I hope it helps You...
Feb 9 '06 #6
alvonsius wrote:
How about scenario like this ..
If user A is login into the system, the database write the use log,
userid, timestamp, blah blah ... and the when user B login with the
same account the system automatically do the logout action for the user
A and tell him what's happened (like "dude, some other user is logging
with your same account") ... then we give the user chance to re-login
and kick user B plus protect user A from kicking ...

Humm ... my english is suck ... I can't give clear explanation ... but
I hope you get the idea ...

About cron, I think that wasn't bad idea ... user should know about the
session expiration in the Term of Service. If they agree with that ...
I think it is OK ... plus, we owned the site and what we do is simply
to protect them, right ...


Why not prevent user B from logging in, and not kicking user A?
If i were user A, i wouldn't like being kicked for someone else's
"hacking" attempts.
That's not my problem ...

Feb 9 '06 #7
d
"frizzle" <ph********@gma il.com> wrote in message
news:11******** **************@ z14g2000cwz.goo glegroups.com.. .
alvonsius wrote:
How about scenario like this ..
If user A is login into the system, the database write the use log,
userid, timestamp, blah blah ... and the when user B login with the
same account the system automatically do the logout action for the user
A and tell him what's happened (like "dude, some other user is logging
with your same account") ... then we give the user chance to re-login
and kick user B plus protect user A from kicking ...

Humm ... my english is suck ... I can't give clear explanation ... but
I hope you get the idea ...

About cron, I think that wasn't bad idea ... user should know about the
session expiration in the Term of Service. If they agree with that ...
I think it is OK ... plus, we owned the site and what we do is simply
to protect them, right ...


Why not prevent user B from logging in, and not kicking user A?
If i were user A, i wouldn't like being kicked for someone else's
"hacking" attempts.
That's not my problem ...


Exactly - give the user a way to contact the site admin if they believe the
locking-out is incorrect. That way it can be sorted without a
logging-in-war :)

dave
Feb 9 '06 #8
alvonsius wrote:
How about scenario like this ..
If user A is login into the system, the database write the use log,
userid, timestamp, blah blah ... and the when user B login with the
same account the system automatically do the logout action for the user
A and tell him what's happened (like "dude, some other user is logging
with your same account") ... then we give the user chance to re-login
and kick user B plus protect user A from kicking ...

Humm ... my english is suck ... I can't give clear explanation ... but
I hope you get the idea ...

About cron, I think that wasn't bad idea ... user should know about the
session expiration in the Term of Service. If they agree with that ...
I think it is OK ... plus, we owned the site and what we do is simply
to protect them, right ...


Actually, I like this way a lot better than refusing to log user B in.

One of the distributors I use for another business does something
similar. If I log in from a second computer (or a different browser),
it logs the first session off. Simple and painless. I can't have two
sessions going at the same time, and I'm not restricted for a period of
time because I didn't log off previously.

I can see another advantage to this, also. You can't stop User "A" from
giving his password to User "B". However, if "B" knocks "A" off enough
times, "A" will change his PW and not give it to "B".

As for being logged off due to a hack - well, if you use any reasonable
password, most likely that won't happen. Remember - it's a successful
login which logs the person off - an unsuccessful login won't do it.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===
Feb 9 '06 #9
Carved in mystic runes upon the very living rock, the last words of
frizzle of comp.lang.php make plain:
alvonsius wrote:
How about scenario like this ..
If user A is login into the system, the database write the use log,
userid, timestamp, blah blah ... and the when user B login with the
same account the system automatically do the logout action for the
user A and tell him what's happened (like "dude, some other user is
logging with your same account") ... then we give the user chance to
re-login and kick user B plus protect user A from kicking ...

Humm ... my english is suck ... I can't give clear explanation ...
but I hope you get the idea ...

About cron, I think that wasn't bad idea ... user should know about
the session expiration in the Term of Service. If they agree with
that ... I think it is OK ... plus, we owned the site and what we do
is simply to protect them, right ...


Why not prevent user B from logging in, and not kicking user A?


What happens if user A goes to the library, logs in to the site, forgets
to log out, and now wants to log in at home?

--
Alan Little
Phorm PHP Form Processor
http://www.phorm.com/
Feb 9 '06 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

8
3051
by: Chris Hall | last post by:
Hello, Any one got any good ideas or where to look for solutions how to stop multiple log ins with the same username? I am using mysql database if that makes a difference. Cheers Chris Hall
1
2146
by: John Davis | last post by:
I put a little login (username and password textfields) in a web page, and once the user able to login, I want the username and password textfields will disappear, and replace with text " has Login!]" in the same position. My question is how to make the username and password textfields disappear and replace with " has Login!]" in the same position? This is the code I have done so far, but it has another problem: Even I first check if...
3
2694
by: Robert Mens | last post by:
Hi, My compiler/linker gives me the strangest error: process.o(.text+0x0): In function `login_user_login': : multiple definition of `login_user_login' login.o(.text+0x0): first defined here collect2: ld returned 1 exit status make: *** Error 1
10
1942
by: Conformix Sales | last post by:
Any thought about how can I stop a user from logging into the application multiple times. I am using forms authentication.
6
2453
by: thomson | last post by:
Hi All, i do hae a solution in which i do have mulitple projects including Web Projects,, Depending on the functionality it gets redirected to different web projects and it is working fine, for eg: http:DomainName/MainProject/index.aspx, If i login, it gets redirectes to a different Web Project inside the solution like http://DomainName/MainProject/ChildProject/MyPage.aspx..
6
6201
by: Bhavini | last post by:
Hi All, I have to prevent multiple logins for the same user accessing at same time. i.e. if xyz user is active, no other login should be allowed for the same user ID. I thought of saving active falg in databse. but when user closes browser or anyhow regular logoff procedure is not called then that user will always be in active state. So next time he will not be allowed to login.
2
1932
by: dylanhughes | last post by:
I'm looking for an example of a login system that has multiple fields (2 to be exact) + password. e.g username, company name and password, the user, company and password are checked against a mysql database. I have it working with just the username field but I'm confused on how to go about adding another field. I'm pretty new to PHP so don't beat me up too much for this example code, I borrowed and hacked it together in a very short period...
10
13078
by: shankhar | last post by:
Hi all, In my project there is a requirement. If a user logged in at a time since he/she logged out others are not allowed to loggin using the same user name. That is to avoid multiple logins using a account. How to do this? I had got a idea and implemented. 1. When a user logs in storing the username, ip, login time to db.
12
3593
by: Fareast Adam | last post by:
I want to make sure all users those login are different in a time either on the same or different computer or web browser. Following are sample of my program which consist 4 different pages; #users.php $users = array( 'user1' => md5('password1'), 'user2' => md5('password2') ); $salt = substr(md5(date('F')), 8);
0
8943
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
9441
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
1
9229
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
9176
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
8182
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
0
4542
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
4801
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
3257
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
3
2175
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.