Preventing multiple Users from logging into the same account at the same time

Hi all,

users usually have usernames and passwords, and can log in to many maches at once withe same details. What I want to do is restrict them to only one machine if they have already LOGGED-ON on one machine, any attempt to LOG-IN again to another they get kicked out or have a Pop up telling them they already LOGGED-ON to another machine.

All help will be greatly appreciated.
Thanx

Hi mankolele,

The way I would do this is an extra record against the user credentials. So when a user logs in you update the record to show that they are logged in.

Also when a user tried to log in you check this field and if they are already logged in you tell them this.

In addition to this it would be worth having the session timeout after a period of inactivity. this would mean that if they close the browser but don't log out they are eventually logged out automatically.

When a user logs out or the session is killed you set the record to show that they are not logged in.

In this way you can ensure that they only log in once. As the data is stored on the server it would work across machines and platforms as well.

Hope this helps
Cheers
nathj

PS This has given me an idea to improve my own site - thanks!

I have a table where I am doing that but my block is that all user are taken as id 1 where I end up not being able to identify who is who.

I have a table where I am doing that but my block is that all user are taken as id 1 where I end up not being able to identify who is who.

Hi mankolele,

Is there anything within in the table can uniqwuely identify a given user - username or email address for example? This could then form the basis of your query.

For good data design there should be someone of uniquely identifying a given user at any time.

Cheers
nathj

Changed thread title to better describe the problem.

Heya, mankolele.

Try creating a database table that stores login sessions.

In this table, each session gets an ID (primary key). Also save the User's ID and an expiration date.

The expiration date should be a timeout value, so something like 15 minutes from the current time.

Whenever somebody tries to log in, check to see if there is a valid (unexpired) session for that User. If one already exists, deny access.

If there are no active sessions, log the User in and create a new entry in the login sessions table. Also save the ID of the login session in the User's _SESSION. Since each _SESSION is unique per client (or in theory anyway), this ensures that only the machine that had that _SESSION could be logged in for that account.

When the User is browsing on the site, don't forget to extend the expiration time of the login session!

When the User logs out, delete the record from the login sessions table.

Ooook I'm lost plain lost, I understand the theory myself but.................................... I don't know.

Ooook I'm lost plain lost, I understand the theory myself but.................................... I don't know.

Hi,

I think the aim is this:

1. Have a table that stores when a user logs in. In the table store the date and time they logged in and when the session will expire

2. When a user logs in update the table and load the session variables.

3. Everytime a request is made by the user the session expiration time is moved on, so that from each activity the session will remain for 15minutes (as an example).

4. Whem the session has been inactive for 15+ minutes simply remove the record from the table and kill the session variables

5) If the user logs out properly do the same as in 4.

If a user is logged on to the system on one machine and then moves to a different machine when they log in again you can check the table for the user id. If it is there and the session is live you don't allow access but explain that they can only log in once.

I think this is the general idea. The only bit I'm a bit vague on is how to monitor session activity so I will be watching this thread closely.

I hope I have helped.

Cheers
nathj

Yeeee I finally managed to add all that up now one iusername has one access and every 15minutes are timed out from the table, which I am not sure if its good coz now the gap is opened I think.

Now my other concern is when they click on LOG-OUT , yes I need to DELETE from table WHERE user = "", yes this happens on the MySQL screen but I can not somehow pass that variable in PHP.

Yeeee I finally managed to add all that up now one iusername has one access and every 15minutes are timed out from the table, which I am not sure if its good coz now the gap is opened I think.

Now my other concern is when they click on LOG-OUT , yes I need to DELETE from table WHERE user = "", yes this happens on the MySQL screen but I can not somehow pass that variable in PHP.

Hi,

My suggestion would be to have an auto-increment field in the table that stores the logon details. then store this number in the $_SESSION. When they log out you can use the $_SESSION variable in your SQL query n php.

Cheers
nathj

What a relief all is well finally....Thank you with all your help. One more thing when capturing the LOG-IN data I see I get the previous entry not the present one I am at, what am I missing for me to get the last details not present username.

What a relief all is well finally....Thank you with all your help.

Always happy to help

One more thing when capturing the LOG-IN data I see I get the previous entry not the present one I am at, what am I missing for me to get the last details not present username.

I'm gonna need a bit more for this - have you got some code you could show us? This would be a useful part of a further explanation of the final probelm.

It may be a refresh problem - off the top of my head, I ahd something similar with $_SESSIONs once. I can't remember now how I fixed it but if you post some code it may jog my memory.

Cheers
nathj

[PHP]
session_start();

$connection = mysql_connect("localhost", "xxxx", "xxxxxxx");
$select_db = mysql_select_db("xxx", $connection);
$query = mysql_query ("SELECT username,password,id FROM members where id ='".$_SESSION["id"]."'", $connection);

$timestamp = time();
$activity = "Log in";


if(isset($_COOKIE['ID_my_site'])){

$_SESSION['log_admin']=$data['ID_my_site'];
$_SESSION['admin_access']=$data['id'];


$name = $_COOKIE['ID_my_site'];
$pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT username,password,id FROM members WHERE id = '$username'")or die(mysql_error());
while($info = mysql_fetch_array( $check ))
{
if ($pass != $info['password'])
{
header("Location: fail.php");
} else {
header("Location: 1.php");
//header("Location: welcome.php");
}
}

}

if (isset($_POST['submit'])) {

$usercheck = $_POST['username'];
$check = mysql_query("SELECT user FROM logged WHERE user = '$usercheck'")
or die(mysql_error());
$check2 = mysql_num_rows($check);

//if the name exists it gives an error
if ($check2 != 0) {
die('Sorry, '.$_POST['username'].' you already LOGGED ON..... on another machine <a href="index.html">Back</a>');
}






if(!$_POST['username'] || !$_POST['password']) {
header("Location: fail.php");

}

$check = mysql_query("SELECT username, password,name,surname FROM members WHERE username = '".$_POST['username']."'")or die(mysql_error());

//Gives error if user dosen't exist
$check2 = mysql_num_rows($check);
if ($check2 == 0) {
header("Location: fail.php");

} else {

while(list($username, $password,$name,$surname) = mysql_fetch_array( $check ))
{
$_POST['password'] = stripslashes($_POST['password']);
$password = stripslashes($password);
$_POST['password'] = md5($_POST['password']);

if ($_POST['password']!= $password) {
header("Location: fail.php");

} else {
$_POST['username'] = stripslashes($_POST['username'] && $_POST['password'] == $password);
$hour = time() + 3600;
setcookie("Use", $username);

setcookie("Name", $name);
setcookie("sur", $surname);

if ($rowsAffected != -1) {

$query ="INSERT INTO logged (lastactive,activity,user)
VALUES ('".$timestamp ."','".$activity."','".$_COOKIE['Use']."')";
$result = mysql_query ($query, $connection) OR die("Error ".mysql_errno()." : ".mysql_error());
$rowsAffected = @ mysql_num_rows($result);

}//close rows Affected
else if ($rowsAffected == -1 ){

}
header("Location: welcome.php");

}

}
}

}

[/PHP]

Is the code for where I get the login details .

Hi mankolele,

I have read over the code and there is nothing that jumps out as the cause of the problem.

however, it has served to jog my memory a little. I mentioned previously that I had a php script that was returning the previous session values. In my case it was on a captcha image - so even if you could see the text it was no good you had to see the previous set - fixed that though.

In my case the trouble was that I was setting the $_SESSION variable too late in the process. It may be that you need to play around with where the $_SESSION variables etc are set.

I'm sorry to be a bit vague but that's all I can think of for this one. I hope it helps - even in some small way.

Cheers
nathj