REQ Been racking my brain trying to figure out how to prevent multiple login with same username

Re: REQ Been racking my brain trying to figure out how to preventmultiple login with same username

Gleep wrote:
[color=blue]
> Some suggest create table fields with the session ID and a time stamp. However my clients can spend
> alot of time on a page and I don't want to force them to re-login, would be annoying.[/color]

Sun Microsystems' webpage uses a popup with "your sessions is about
to expire, extend it?". Then you have a couple of minutes to click
"extend" to keep your session alive. If you don't, the session
eventually times out. Perhaps that's one way to go.

Re: REQ Been racking my brain trying to figure out how to prevent multiple login with same username

If i got it right, what you want is to do that if users dont update
their session e.g. in 20 minutes, the session will be terminated. But
if the session exists in the database, you will simply disalow any
other sessions with the same username, right?

Simply, run cron for each 5 minutes to execute the php script that
would check everything. When user logins and each time they erquest the
server, update the mysql table saying time() + 60*10 ( 10 minutes ).
So if the script that is being executed by cron finds that the
expiration time has ended, the session is destroyed!

They wouldnt need that expiration mesage because the expiration time
would be automatically updates ( + 10 minutes for each request )

Also, there is a big disadvantage in all of this - users can have their
cookies disabled and then you'd get a big amount of sessions created in
your database... so you'd be dead because of that.

Just when users are logging in, in the login page set a cookie
$_COOKIE['do_login'] = true; and when user requests the actual login
page, where all the info is sent - the $_COOKIE['do_login'] should be
checked. If it is not, then simply say that Cookies must be enabled! :)

I might have confused anyone who is reading but figure it out then!

Good luck on your site!
Thanks!

Re: REQ Been racking my brain trying to figure out how to prevent multiple login with same username


Gleep wrote:[color=blue]
> I've searched google intensely on this topic and it seems noone really knows how to approch this.
>
> The goal I don't want clients to give out their usernames and passwords to friends, since the site
> relies on subscrption fees.
>
> Sessions ID's are matched between the browser and the server. So a users can login with same
> username and password and those sessions are tracked individually.
>
> Some suggest create table fields with the session ID and a time stamp. However my clients can spend
> alot of time on a page and I don't want to force them to re-login, would be annoying.
>
> On the other hand, some clients do not logout properly and sessions open active and/or a script that
> runs the timestamp does not clear that field. Then the next they login the stamp reads that they are
> active and will not allow them to login.
>
> I'm an experienced PHP programmer yet this task has got me going in circles. Everytime I think I
> have a method worked out - there is a reason why it won't.
>
> The approach I'm considering now is to grab and loop all the server sessions username values - then
> compare those values to a flaged "logged-in" field from the user table. That way if a flag is
> negative I will allow the user to login in and create a session and flag that field. If a session
> does not exist then the flag is cleared. I would run the cron 10 minute intervals. If I find 2
> sessions with same username I unset both - then fire off an email to the client reminding them
> multiple logins are a bad thing
>
> Does this sound right? Anyone else have a better idea?[/color]

Sorry, the email doesn't sound good to me. This would confront the
client with a 'flaw' in the system. I don't have a solution for your
problem, but this solution doesn't solve it, only moves is around. The
user might even not know there are multiple logins ...
Prevent multiple logins on 1 account by not letting more then 1 login.

How about setting a fla in the DB -> userid, session id, and timeasking
them if they want to stay logged in. If no-one answers the popup,
refresh the page at e.g. 15 minutes.
If they do reply reset the flag's timestamp.
If a timeout is after 15 minutes, and user is logged in, but closes the
browser without logging out, the account would be max. 15 minutes
unavailable for the same user. You *could* remind the user (on next
login e.g.) that leaving without logging out is a bad thing ...

Frizzle.

Re: REQ Been racking my brain trying to figure out how to prevent multiple login with same username

How about scenario like this ..
If user A is login into the system, the database write the use log,
userid, timestamp, blah blah ... and the when user B login with the
same account the system automatically do the logout action for the user
A and tell him what's happened (like "dude, some other user is logging
with your same account") ... then we give the user chance to re-login
and kick user B plus protect user A from kicking ...

Humm ... my english is suck ... I can't give clear explanation ... but
I hope you get the idea ...

About cron, I think that wasn't bad idea ... user should know about the
session expiration in the Term of Service. If they agree with that ...
I think it is OK ... plus, we owned the site and what we do is simply
to protect them, right ...

Re: REQ Been racking my brain trying to figure out how to preventmultiple login with same username

since preventing 2 or more people to login as a same user is practicaly
mission impossible (since, for instance, i can login to your web from
home or from work, thus having 2 different login locations), i think the
best idea is to force users to logout after the're done browsing, or you
could logout them when they leave the page (onunload event, or
something like that), thus, making it impossible for another person to
login as the user that's already logged in.

I know this is not a revolutionary idea, but I hope it helps You...

Re: REQ Been racking my brain trying to figure out how to prevent multiple login with same username

alvonsius wrote:[color=blue]
> How about scenario like this ..
> If user A is login into the system, the database write the use log,
> userid, timestamp, blah blah ... and the when user B login with the
> same account the system automatically do the logout action for the user
> A and tell him what's happened (like "dude, some other user is logging
> with your same account") ... then we give the user chance to re-login
> and kick user B plus protect user A from kicking ...
>
> Humm ... my english is suck ... I can't give clear explanation ... but
> I hope you get the idea ...
>
> About cron, I think that wasn't bad idea ... user should know about the
> session expiration in the Term of Service. If they agree with that ...
> I think it is OK ... plus, we owned the site and what we do is simply
> to protect them, right ...[/color]

Why not prevent user B from logging in, and not kicking user A?
If i were user A, i wouldn't like being kicked for someone else's
"hacking" attempts.
That's not my problem ...

Re: REQ Been racking my brain trying to figure out how to prevent multiple login with same username

"frizzle" <phpfrizzle@gma il.com> wrote in message
news:1139485680 .126735.273630@ z14g2000cwz.goo glegroups.com.. .[color=blue]
> alvonsius wrote:[color=green]
>> How about scenario like this ..
>> If user A is login into the system, the database write the use log,
>> userid, timestamp, blah blah ... and the when user B login with the
>> same account the system automatically do the logout action for the user
>> A and tell him what's happened (like "dude, some other user is logging
>> with your same account") ... then we give the user chance to re-login
>> and kick user B plus protect user A from kicking ...
>>
>> Humm ... my english is suck ... I can't give clear explanation ... but
>> I hope you get the idea ...
>>
>> About cron, I think that wasn't bad idea ... user should know about the
>> session expiration in the Term of Service. If they agree with that ...
>> I think it is OK ... plus, we owned the site and what we do is simply
>> to protect them, right ...[/color]
>
> Why not prevent user B from logging in, and not kicking user A?
> If i were user A, i wouldn't like being kicked for someone else's
> "hacking" attempts.
> That's not my problem ...[/color]

Exactly - give the user a way to contact the site admin if they believe the
locking-out is incorrect. That way it can be sorted without a
logging-in-war :)

dave

Re: REQ Been racking my brain trying to figure out how to preventmultiple login with same username

alvonsius wrote:[color=blue]
> How about scenario like this ..
> If user A is login into the system, the database write the use log,
> userid, timestamp, blah blah ... and the when user B login with the
> same account the system automatically do the logout action for the user
> A and tell him what's happened (like "dude, some other user is logging
> with your same account") ... then we give the user chance to re-login
> and kick user B plus protect user A from kicking ...
>
> Humm ... my english is suck ... I can't give clear explanation ... but
> I hope you get the idea ...
>
> About cron, I think that wasn't bad idea ... user should know about the
> session expiration in the Term of Service. If they agree with that ...
> I think it is OK ... plus, we owned the site and what we do is simply
> to protect them, right ...
>[/color]

Actually, I like this way a lot better than refusing to log user B in.

One of the distributors I use for another business does something
similar. If I log in from a second computer (or a different browser),
it logs the first session off. Simple and painless. I can't have two
sessions going at the same time, and I'm not restricted for a period of
time because I didn't log off previously.

I can see another advantage to this, also. You can't stop User "A" from
giving his password to User "B". However, if "B" knocks "A" off enough
times, "A" will change his PW and not give it to "B".

As for being logged off due to a hack - well, if you use any reasonable
password, most likely that won't happen. Remember - it's a successful
login which logs the person off - an unsuccessful login won't do it.


--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

Re: REQ Been racking my brain trying to figure out how to prevent multiple login with same username

Carved in mystic runes upon the very living rock, the last words of
frizzle of comp.lang.php make plain:
[color=blue]
> alvonsius wrote:[color=green]
>> How about scenario like this ..
>> If user A is login into the system, the database write the use log,
>> userid, timestamp, blah blah ... and the when user B login with the
>> same account the system automatically do the logout action for the
>> user A and tell him what's happened (like "dude, some other user is
>> logging with your same account") ... then we give the user chance to
>> re-login and kick user B plus protect user A from kicking ...
>>
>> Humm ... my english is suck ... I can't give clear explanation ...
>> but I hope you get the idea ...
>>
>> About cron, I think that wasn't bad idea ... user should know about
>> the session expiration in the Term of Service. If they agree with
>> that ... I think it is OK ... plus, we owned the site and what we do
>> is simply to protect them, right ...[/color]
>
> Why not prevent user B from logging in, and not kicking user A?[/color]

What happens if user A goes to the library, logs in to the site, forgets
to log out, and now wants to log in at home?

--
Alan Little
Phorm PHP Form Processor

Re: REQ Been racking my brain trying to figure out how to prevent multiple login with same username

Carved in mystic runes upon the very living rock, the last words of
Gleep of comp.lang.php make plain:
[color=blue]
> I've searched google intensely on this topic and it seems noone really
> knows how to approch this.
>
> The goal I don't want clients to give out their usernames and
> passwords to friends, since the site relies on subscrption fees.[/color]

Add a META refresh or JS refresh to all the pages. When the page refreshes,
refresh the session. The person can sit there as long as they like; if they
leave the site and don't log out, the session eventually expires.

--
Alan Little
Phorm PHP Form Processor

Re: REQ Been racking my brain trying to figure out how to prevent multiple login with same username

>Some suggest create table fields with the session ID and a time stamp.[color=blue]
>However my clients can spend
>alot of time on a page and I don't want to force them to re-login, would
>be annoying.
>
>On the other hand, some clients do not logout properly and sessions open
>active and/or a script that
>runs the timestamp does not clear that field. Then the next they login
>the stamp reads that they are
>active and will not allow them to login.[/color]

My suggestion is to keep a database of active sessions. (user name,
session id, timestamp). Well, actually, I'm not sure you really
need the timestamp. If a user logs in, delete all the previous
session records with his user ID and create a new record with his
session ID. When a user tries to access a page, check for the
session record by session ID. If it's not there, redirect him to
the login page. In other words, if the user tries to log in twice,
blow away the *OLD* session(s), so if someone tries to continue
using them, they have to log in again. If the user explicity logs
out, blow away all the session records with his user id.

If the user did not log out properly, this will do no damage, since
he won't use that session ID again. If there are two (or more)
users sharing a login and trying to use it simultaneously, they
will keep bumping each other off. You don't prohibit multiple users
but you make account sharing a real nuisance. It gets even worse
with a dozen users trying to share an account.
[color=blue]
>I'm an experienced PHP programmer yet this task has got me going[/color]
in >circles. Everytime I think I >have a method worked out - there
is a reason why it won't.

You can also use the approach of detecting multiple logins (timestamp
needed here for telling the difference between an abandoned session
and multiple users) and if there are too many too quickly, send a
nasty email. Realize that this might false-trip occasionally so
you only send email if it happens several times in a few days. Oh,
yes, tracking IP addresses might be useful as evidence in case the
user denies sharing his account. Perhaps his password was stolen
(by a family member he shares the computer with?)

Gordon L. Burditt

Re: REQ Been racking my brain trying to figure out how to prevent multiple login with same username

Gordon Thanks for your tip about tracking the sessions in a db. I did consider that but I wanted to
avoid tracking them with table queries.

Here is what I came up with.....
First I wanted to say thanks to everyone writing in help me with this. I came up with this solution
and it works well I think.

The trick to this situation is collecting current session data and comparing against a client who is
trying to login. Note the goal: I want to prevent clients from sharing thier usernames and
passwords with others since this is a subscription based system.

On the login form, I do the standard thing (query) to see is the username exists and if the password
is correct, blah blah we've all done that a million times. But BEFORE I register a session
"validUser" with thier username - I first loop through existing sessions and see if there is a
match. This is how

$OKtoLogin = true;
$handle = opendir(session _save_path());
while (($file = readdir($handle )) != false) {
if( $file != "." && $file != ".." ) {
$filename= session_save_pa th()."/".$file;
$fp = @fopen($filenam e, "r");
$contents = fread($fp, filesize($filen ame));
if(strstr($cont ents, $userName)){
// if true then there is multiple login attempt, at this point I
// can send them to a login fail page or email them with note
$OKtoLogin = false;
}
fclose($fp);
}
}
if($OKtoLogin){
// at this point it passes validation
// here i would register thier session and pass them into application
}

Note: occationally some sessions stick around for whatever reason and I would have a cron set up at
3:00am that wipes out all sessions with unset() and session_destroy ()

It seems simple now, but this took me hours and hour to figure out. It just reads in all the
existing session files, reads the contents of the session, compares it against the posted value
username (which will always be unique new user will not be able have the same username) if there is
a match then I know it's a multiple login attempt and it fails. If there are no matches everything
is cool and they login normally.

I don't have to track timestamps and SID in tables and run quiers to see if flags have been set and
all that jazz. I hope that this code snip will help someone else solve this issue with preventing
multiple logins.





On Thu, 09 Feb 2006 18:52:08 -0000, gordonb.k3i75@b urditt.org (Gordon Burditt) wrote:
[color=blue][color=green]
>>Some suggest create table fields with the session ID and a time stamp.
>>However my clients can spend
>>alot of time on a page and I don't want to force them to re-login, would
>>be annoying.
>>
>>On the other hand, some clients do not logout properly and sessions open
>>active and/or a script that
>>runs the timestamp does not clear that field. Then the next they login
>>the stamp reads that they are
>>active and will not allow them to login.[/color]
>
>My suggestion is to keep a database of active sessions. (user name,
>session id, timestamp). Well, actually, I'm not sure you really
>need the timestamp. If a user logs in, delete all the previous
>session records with his user ID and create a new record with his
>session ID. When a user tries to access a page, check for the
>session record by session ID. If it's not there, redirect him to
>the login page. In other words, if the user tries to log in twice,
>blow away the *OLD* session(s), so if someone tries to continue
>using them, they have to log in again. If the user explicity logs
>out, blow away all the session records with his user id.
>
>If the user did not log out properly, this will do no damage, since
>he won't use that session ID again. If there are two (or more)
>users sharing a login and trying to use it simultaneously, they
>will keep bumping each other off. You don't prohibit multiple users
>but you make account sharing a real nuisance. It gets even worse
>with a dozen users trying to share an account.
>[color=green]
>>I'm an experienced PHP programmer yet this task has got me going[/color]
>in >circles. Everytime I think I >have a method worked out - there
>is a reason why it won't.
>
>You can also use the approach of detecting multiple logins (timestamp
>needed here for telling the difference between an abandoned session
>and multiple users) and if there are too many too quickly, send a
>nasty email. Realize that this might false-trip occasionally so
>you only send email if it happens several times in a few days. Oh,
>yes, tracking IP addresses might be useful as evidence in case the
>user denies sharing his account. Perhaps his password was stolen
>(by a family member he shares the computer with?)
>
> Gordon L. Burditt[/color]

Re: REQ Been racking my brain trying to figure out how to prevent multiple login with same username

I think gordon is onto a better solution.
Store the current session id and remote ip address in the database. ip
address also because they could simply modify the session id being
sent.

Additionally, there should only be *one* record per user account,
session id, and remote ip address, ie: unique sid, unique uid, and
unique uid-sid-ip. ip isn't unique unless you want to block different
accounts behind a shared internet connection.

Looping through every session, opening it, and searching for a
substring will take much longer than simply comparing two strings and
destroying a session.

Process:
On user login, destroy the previous session if the old session id
doesn't match the current session id or if the current ip doesn't match
the older ip.
Otherwise, store the new session ID and remote ip address for that
user.
If the user doesn't have a record, create it and allow the login.

Keep track of the last login time, too. If there are requests from
multiple IP's with the same account in a short period of time, then you
can lock the account, send them an email, alert your staff, you know,
raise a red flag of some sort.

This will allow a single user to have multiple windows open for the
website (assuming they 'open link in new window/tab') as the session
id's sent by all those windows will be the same.

It won't prevent sharing of an account if there is a home
gateway/router. But really, if thats the case, they can (and probably
would anyways) share the file over the local network. Either way, they
are still using the same connection and will be fighting for bandwidth.

in code, ala;

$oldid, $oldip = select sessionid, ip from table where user=$user
if($sid != $oldid || $ip != $oldip) {
destroy_session ($oldid);
destroy_session ($sid);
logout($user);
// do time calculation to flag shared accounts
gotoLogin();
} else {
// proceed with login
}

Re: REQ Been racking my brain trying to figure out how to prevent multiple login with same username


"Alan Little" <alan@n-o-s-p-a-m-phorm.com> wrote in message
news:Xns9765757 B5EDDDalanphorm com@216.196.97. 131...[color=blue]
> Carved in mystic runes upon the very living rock, the last words of
> Gleep of comp.lang.php make plain:
>[color=green]
>> I've searched google intensely on this topic and it seems noone really
>> knows how to approch this.
>>
>> The goal I don't want clients to give out their usernames and
>> passwords to friends, since the site relies on subscrption fees.[/color]
>
> Add a META refresh or JS refresh to all the pages. When the page
> refreshes,
> refresh the session. The person can sit there as long as they like; if
> they
> leave the site and don't log out, the session eventually expires.[/color]

that makes me shudder almost.

[color=blue]
>
> --
> Alan Little
> Phorm PHP Form Processor
> http://www.phorm.com/[/color]