same user login twice on different machine???

[robcrozier]

Hi.

 

I have a fairly robust user class that i use to maintain user state throughout my applications.  The problem that i'm having is that if the same user logs in twice, from different machines, the database records are overwritten and thus the original users state become corrupt.  Take this for example:

 

I log in once and walk away from my machine.  The application is set to keep the user logged in for 30 minutes.  A second person logs into the system with the same login details and the users last active data is updated.  The first user comes back to the system after 3 hours and the class checks the database to see when the users last activity was.  It picks up the last activity from the second user and thus keeps the first user logged in.  This is not good!

 

Can anyone suggest how i can get round this problem?  I though of maybe creating abstract user instances and storing them in a separate database table.  The user instances can then be deleted at the end of the session and each user instance would be specific to that users session.

 

Is that necessarily the best way to do it tough?

[Psycho]

Save the session ID to the database as well as the last activity timestamp. When user 1 comes back to their computer and tries to do somethign the system will first check if the session ID matches. Since it doesn't user 1 will be told they have been logged out on another PC.

 

Of course you would not be able to have two people logged in using the same account at the same time, but that's probably what you want.

[robcrozier]

Hi mjdamato.

 

Thanks for the response.  Unforthunately, yes i would like to have the two users log in with completely unconnected sessions, even though they're using the same login details - if that makes sense!?

 

Cheers

 

Rob

[WolfRage]

That sounds rather unsecure. Also what if I make changes to my account and my friend makes different changes to my account at the same time, who wins and how will your system take care of different requests for the same accounts?

[.josh]

You can't have your script magically know who is logging in and out at which time if they are using the same credentials.  That's the point in having separate accounts.    You can shorten your timeout to require re-login to like 5 min or something but even then that's flawed because that's still 5 unaccounted minutes.  IOW the correct solution would be to have unique credentials for everybody.

[Psycho]

My company is in the middle of a SaaS application with a similar situation, multiple users can log in on different machines with the same credentials. The solution, for use, is to save a file to the user's PC that is used to help track that PCs session.

 

Although I agree with CV that you should only allow one person to log in at a time with a set of credentials, it is not always up to development to decide these things. My suggestion would be to save a different record for each user login/session ID.

 

Then when checking a user's active status, check to see if there is a record for their session ID. If so, then check to see last activity for that particular session. Of course, you will need to clean up records where the last activity is past the alloted time.