Jump to content


Photo

Limit users to 1 active login


  • Please log in to reply
22 replies to this topic

#1 DarkReaper

DarkReaper
  • Members
  • PipPipPip
  • Advanced Member
  • 36 posts

Posted 09 August 2006 - 11:22 AM

Hi there ;) i am trying to limit my users to only 1 active login per user.
Here is what i have done so far:
1. Login -> update session_id in the mysql db with the new one generated from the session_start()
2. User account -> first check if session_id is equal to mysql session id. If not -> force logout.

This worked for different browsers. But if i use 2 same browsers for example IE or FF the session stays the same and again they can log as much times as they want :( ...

Any ideas how can i do this? If i can identify each browser no matter if its the same or not maybe will work?!

#2 onlyican

onlyican
  • Members
  • PipPipPip
  • Advanced Member
  • 921 posts
  • LocationHants - UK

Posted 09 August 2006 - 11:25 AM

If your using sessions, its the same domain, same session name, it should overwrite itself.

Also if you dont allow someone to log in if a session exsists, then that helps
I have a log.php page for log in and out
if($_SESSION["logged_in_user_session"]){
//destroy the session, log them out

}else{
//show your log in script
}

If they are using the same machine, to log into 2 different account, if they are logged in, and go to log in, then it will log them out from the other account when they go to log.php
Tell me the problem, I will try tell you the solution

#3 Daniel0

Daniel0
  • Staff Alumni
  • Advanced Member
  • 11,956 posts

Posted 09 August 2006 - 11:27 AM

Do something like
<?php
// ... other stuff
$query = mysql_query("SELECT * FROM sessions WHERE username='{$username}'");
if(mysql_num_rows($query) <= 0)
{
	do_login();
}
else {
	echo "Sorry, you are already logged in";
}
// ... other stuff
?>


#4 DarkReaper

DarkReaper
  • Members
  • PipPipPip
  • Advanced Member
  • 36 posts

Posted 09 August 2006 - 12:07 PM

@Daniel0: Well this sounds good but what if i close the window?? I get locked out from the account :( ....

@onlyican: same for you :)

I am thinking of someting like this:

1st user 1st window logs -> do its stuff
1st user opens 2nd tab/window and logs again -> if login already exists invalidate the previous login
1st user 1st window -> clicks and gets an invalidation message
1st user 2nd window -> continues without problems.

But cant seem to think of a way to use this technique :)

#5 GingerRobot

GingerRobot
  • Staff Alumni
  • Advanced Member
  • 4,086 posts
  • LocationUK

Posted 09 August 2006 - 12:19 PM

When you say it worked using the same browser, do you mean you actually opened up two differant instances of the browser?

If you were logged in in firefox and simply opened a new tab, or in either browser you right clicked a link to open it in a new window, then it will not work because the session is the same.

However, if you opened up internet explorer of firefox twice, what you already did should work.

#6 lead2gold

lead2gold
  • Members
  • PipPipPip
  • Advanced Member
  • 164 posts
  • LocationOttawa, On

Posted 09 August 2006 - 12:22 PM

well, read the persons IP address when they log in...

create a session table , it will provide you with rough guidance...

in this table you'll add 3 things:
userid (foreign key)
ipaddr (int) (you'll convert from REMOTE_ADDR)
time


each time anyone reloads or access any page, you will retrieve there record in the session table.
(or insert one if they don't have one).

match there IP address (on the first 3 octets only)
then check the time... if the time is less than... (say 1/2 hr) then update this record with current information. otherwise log out the person who's ip doesn't match.

It's nto bullet proof, but it's sort of what your looking for.

#7 DarkReaper

DarkReaper
  • Members
  • PipPipPip
  • Advanced Member
  • 36 posts

Posted 09 August 2006 - 12:23 PM

@GIngerrobot: The protection triggered on different browsers example IE, FF but if i open the same windows example 2 IE, or 2 FF tabs the protections goes to hell :)

@onlyican: this i would like to leave as a final option :)

Any other ideas, please? :)

#8 GingerRobot

GingerRobot
  • Staff Alumni
  • Advanced Member
  • 4,086 posts
  • LocationUK

Posted 09 August 2006 - 12:26 PM

Thats what im saying. The session is valid throughout all the tabs you created in firefox in the same window. If you open up firefox and login, then open up another firefox browser, e.g. start the program again your protection should work fine.

#9 Orio

Orio
  • Staff Alumni
  • Advanced Member
  • 2,491 posts

Posted 09 August 2006 - 12:31 PM

I say, each time a user logs in you update a field in a table with a random string. The same string will be stored on a cookie that will be sent to the user. On each page check if the cookie's value and the field in the table are matching. If they dont- kick him out.
When person2 logs in when person1 is currently online (in the same user), the field in the table is updated with a new string and and a cookie is being sent to person2 with the new value. The next time person1 refreshes the browser, his cookie won't match the table value and he'll be kicked out.

Sounds good?

Orio.

PS- same can be done with sessions instead of cookies.
Think you're smarty?

(Gone until 20 to November)

#10 DarkReaper

DarkReaper
  • Members
  • PipPipPip
  • Advanced Member
  • 36 posts

Posted 09 August 2006 - 12:38 PM

@Orio: what will happen when the 2 different users are the same :) i mean 1 user opens different windows :) ... I think nothing because cookies are shared.

@GingerRobot: But still i wont do as what i want. 1 and no more windows/tabs should be active at every moment. If a second ones open ... the previous should invalidate. But i just cant identify each browser/tab as unique :(

#11 Orio

Orio
  • Staff Alumni
  • Advanced Member
  • 2,491 posts

Posted 09 August 2006 - 12:41 PM

Of course! Why do you want to limit the user using multiply windows??

Orio.
Think you're smarty?

(Gone until 20 to November)

#12 Orio

Orio
  • Staff Alumni
  • Advanced Member
  • 2,491 posts

Posted 09 August 2006 - 12:44 PM

Ok, so if you want the user to use only one window a time, you can make the updating thing (both cookie and table) on every page. This will be easier with sessions. On each page check if table and session var are matching. If they are not- kick him out. If they are, change both to a new random value and continue.

Orio.
Think you're smarty?

(Gone until 20 to November)

#13 GingerRobot

GingerRobot
  • Staff Alumni
  • Advanced Member
  • 4,086 posts
  • LocationUK

Posted 09 August 2006 - 12:48 PM

But that wont work, because you can have two windows/tabs open using the same session.

As Orio says, why do you want to limit people to one active window/tab? Wont that just be very annoying?

#14 DarkReaper

DarkReaper
  • Members
  • PipPipPip
  • Advanced Member
  • 36 posts

Posted 09 August 2006 - 12:50 PM

Orio, cookies are shared. This means that if i change 1 cookie var, every window will read the new value on the next request. Rendering this method quite uneffective.

I want to limit them to 1 window so i can prevent cheating in an online game.

I want to identify each tab with unique id ... the problem is that i dont know how, nor if its possible ... :)

The best thing that i've comed up with is to get the browser PID but ... i dont think this is implemented in php

#15 shocker-z

shocker-z
  • Members
  • PipPipPip
  • Advanced Member
  • 864 posts
  • LocationNottingham

Posted 09 August 2006 - 12:53 PM

why not use sessions and log a session but make sure that you regenerate sessions on every page.. then you can use a datetime of the session also so if session is older than 10minutes then allow a new session to be used?

Not sure if you can make sence of that.

Regards
Liam
www: www.ukchat.ws | irc: irc.ukchat.ws chan: #blufudge

#16 GingerRobot

GingerRobot
  • Staff Alumni
  • Advanced Member
  • 4,086 posts
  • LocationUK

Posted 09 August 2006 - 12:54 PM

Well i would guess that this game would all depend on form submission?

If so what you CAN do, is, each time a page is loaded, create a random number and apply the md5 hash to it. Put this hashed number into your database.

Then, if the page has a form on it, put that hashed number as a hidden field. When the form is sent, check it matches the last one in the database.

If someone was to load a second window, they would alter the hashed number in the database and thus make the first window unusable.

You would, of course, have to do this with every form in your game.

Seems very OTT, perhaps you could prevent cheating in some other way. But that is certainly one method.

#17 Orio

Orio
  • Staff Alumni
  • Advanced Member
  • 2,491 posts

Posted 09 August 2006 - 12:57 PM

And if not all of the pages use forms, you can put it into links and fetch it using $_GET

Orio.
Think you're smarty?

(Gone until 20 to November)

#18 lead2gold

lead2gold
  • Members
  • PipPipPip
  • Advanced Member
  • 164 posts
  • LocationOttawa, On

Posted 09 August 2006 - 01:09 PM

If your preforming SQL inserts after someone completes a game, how could they cheat? Game data shouldn't be stored on the client end.  If your keeping your data on the server end, then it shouldn't matter how many windows they have open.

Orio, cookies are shared. This means that if i change 1 cookie var, every window will read the new value on the next request. Rendering this method quite uneffective.

I want to limit them to 1 window so i can prevent cheating in an online game.

I want to identify each tab with unique id ... the problem is that i dont know how, nor if its possible ... :)

The best thing that i've comed up with is to get the browser PID but ... i dont think this is implemented in php



#19 DarkReaper

DarkReaper
  • Members
  • PipPipPip
  • Advanced Member
  • 36 posts

Posted 09 August 2006 - 01:14 PM

I keep the data in a session, and when needed i update the sql db.
The only problem is the session because at some point they may trick the DB to store some invalid (old) data.

#20 DarkReaper

DarkReaper
  • Members
  • PipPipPip
  • Advanced Member
  • 36 posts

Posted 09 August 2006 - 03:36 PM

I was thinking ... is there a way to carry messages in the http headers???? (without using POST)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users