Limit users to 1 active login

[DarkReaper]

Hi there ;) i am trying to limit my users to only 1 active login per user.
Here is what i have done so far:
1. Login -> update session_id in the mysql db with the new one generated from the session_start()
2. User account -> first check if session_id is equal to mysql session id. If not -> force logout.

This worked for different browsers. But if i use 2 same browsers for example IE or FF the session stays the same and again they can log as much times as they want :( ...

Any ideas how can i do this? If i can identify each browser no matter if its the same or not maybe will work?!

[onlyican]

If your using sessions, its the same domain, same session name, it should overwrite itself.

Also if you dont allow someone to log in if a session exsists, then that helps
I have a log.php page for log in and out
if($_SESSION["logged_in_user_session"]){
//destroy the session, log them out

}else{
//show your log in script
}

If they are using the same machine, to log into 2 different account, if they are logged in, and go to log in, then it will log them out from the other account when they go to log.php

[Daniel0]

Do something like [code]<?php
// ... other stuff
$query = mysql_query("SELECT * FROM sessions WHERE username='{$username}'");
if(mysql_num_rows($query) <= 0)
{
do_login();
}
else {
echo "Sorry, you are already logged in";
}
// ... other stuff
?>[/code]

[DarkReaper]

@Daniel0: Well this sounds good but what if i close the window?? I get locked out from the account :( ....

@onlyican: same for you :)

I am thinking of someting like this:

1st user 1st window logs -> do its stuff
1st user opens 2nd tab/window and logs again -> if login already exists invalidate the previous login
1st user 1st window -> clicks and gets an invalidation message
1st user 2nd window -> continues without problems.

But cant seem to think of a way to use this technique :)

[GingerRobot]

When you say it worked using the same browser, do you mean you actually opened up two differant instances of the browser?

If you were logged in in firefox and simply opened a new tab, or in either browser you right clicked a link to open it in a new window, then it will not work because the session is the same.

However, if you opened up internet explorer of firefox twice, what you already did should work.

[lead2gold]

well, read the persons IP address when they log in...

create a session table , it will provide you with rough guidance...

in this table you'll add 3 things:
userid (foreign key)
ipaddr (int) (you'll convert from REMOTE_ADDR)
time


each time anyone reloads or access any page, you will retrieve there record in the session table.
(or insert one if they don't have one).

match there IP address (on the first 3 octets only)
then check the time... if the time is less than... (say 1/2 hr) then update this record with current information. otherwise log out the person who's ip doesn't match.

It's nto bullet proof, but it's sort of what your looking for.

[DarkReaper]

@GIngerrobot: The protection triggered on different browsers example IE, FF but if i open the same windows example 2 IE, or 2 FF tabs the protections goes to hell :)

@onlyican: this i would like to leave as a final option :)

Any other ideas, please? :)

[GingerRobot]

Thats what im saying. The session is valid throughout all the tabs you created in firefox in the same window. If you open up firefox and login, then open up another firefox browser, e.g. start the program again your protection should work fine.

[Orio]

I say, each time a user logs in you update a field in a table with a random string. The same string will be stored on a cookie that will be sent to the user. On each page check if the cookie's value and the field in the table are matching. If they dont- kick him out.
When person2 logs in when person1 is currently online (in the same user), the field in the table is updated with a new string and and a cookie is being sent to person2 with the new value. The next time person1 refreshes the browser, his cookie won't match the table value and he'll be kicked out.

Sounds good?

Orio.

PS- same can be done with sessions instead of cookies.

[DarkReaper]

@Orio: what will happen when the 2 different users are the same :) i mean 1 user opens different windows :) ... I think nothing because cookies are shared.

@GingerRobot: But still i wont do as what i want. 1 and no more windows/tabs should be active at every moment. If a second ones open ... the previous should invalidate. But i just cant identify each browser/tab as unique :(

[Orio]

Of course! Why do you want to limit the user using multiply windows??

Orio.

[Orio]

Ok, so if you want the user to use only one window a time, you can make the updating thing (both cookie and table) on every page. This will be easier with sessions. On each page check if table and session var are matching. If they are not- kick him out. If they are, change both to a new random value and continue.

Orio.

[GingerRobot]

But that wont work, because you can have two windows/tabs open using the same session.

As Orio says, why do you want to limit people to one active window/tab? Wont that just be very annoying?

[DarkReaper]

Orio, cookies are shared. This means that if i change 1 cookie var, every window will read the new value on the next request. Rendering this method quite uneffective.

I want to limit them to 1 window so i can prevent cheating in an online game.

I want to identify each tab with unique id ... the problem is that i dont know how, nor if its possible ... :)

The best thing that i've comed up with is to get the browser PID but ... i dont think this is implemented in php

[shocker-z]

why not use sessions and log a session but make sure that you regenerate sessions on every page.. then you can use a datetime of the session also so if session is older than 10minutes then allow a new session to be used?

Not sure if you can make sence of that.

Regards
Liam

[GingerRobot]

Well i would guess that this game would all depend on form submission?

If so what you CAN do, is, each time a page is loaded, create a random number and apply the md5 hash to it. Put this hashed number into your database.

Then, if the page has a form on it, put that hashed number as a hidden field. When the form is sent, check it matches the last one in the database.

If someone was to load a second window, they would alter the hashed number in the database and thus make the first window unusable.

You would, of course, have to do this with every form in your game.

Seems very OTT, perhaps you could prevent cheating in some other way. But that is certainly one method.

[Orio]

And if not all of the pages use forms, you can put it into links and fetch it using $_GET

Orio.

[lead2gold]

If your preforming SQL inserts after someone completes a game, how could they cheat? Game data shouldn't be stored on the client end.  If your keeping your data on the server end, then it shouldn't matter how many windows they have open.

[quote author=DarkReaper link=topic=103543.msg412408#msg412408 date=1155127819]
Orio, cookies are shared. This means that if i change 1 cookie var, every window will read the new value on the next request. Rendering this method quite uneffective.

I want to limit them to 1 window so i can prevent cheating in an online game.

I want to identify each tab with unique id ... the problem is that i dont know how, nor if its possible ... :)

The best thing that i've comed up with is to get the browser PID but ... i dont think this is implemented in php
[/quote]

[DarkReaper]

I keep the data in a session, and when needed i update the sql db.
The only problem is the session because at some point they may trick the DB to store some invalid (old) data.

[DarkReaper]

I was thinking ... is there a way to carry messages in the http headers???? (without using POST)

[lead2gold]

you could always stamp breadcrumbs in the session file.

Each time a user does an action store an md5(time()+$key); Every action one takes, matches the current key and then the page is submitted.  On the submit the key is changed.

In the event that the user ever had 2 windows open, his second window is uselsess now as it has a different key.  Anything submitted there won't be saved.

you only preform the transaction if the keys match. On every match, the transaction is preformed and the key is changed.

[DarkReaper]

i understand your idea but how can i set the key if i cant carry the data on a separate storage for each window. + i dont have a submit/post on every page. Thats why i am asking is there a way to carry this key via the browsers headers or some other way

[lead2gold]

Well, you only write /check a key on every submit.
So if they are doing a database transaction.

Then in each form, you store the last key in <input type="hidden" value=<?=$_SESSION['key']?> />

It doesn't matter how many windows anyone opens, because after the submit on 1 screen, the keys on all the other windows (will reference the old key) and will no longer be valid.

Upon each submit, you willl refresh the $_SESSION['key'] value.

After each submit, you must check $_POST['key'] to ensure that it is equal to $_SESSION['key']
Preform your sql, and change the $_SESSION['key']


The end result is someone who can have as many windows open as they want,  But they will only be able to sequentially preform 1 task after another.  the key acts as sort of a mutex/semaphore