How to prevent multiple logins?

[realjumper]

Hi,

My users are authenticating to a mysql database, and they stay logged in by way of a cookie which expires on browser close....or 2 hours, which ever occurs first. What I want to do now is to prevent users giving their login details to their friends so that multiple people login with the same username. I can store logged in usernames in a 'logged_in' table, which will make it easy to check whether that username is already logged in, and if it is, then deny access to any further users with that username. But, if a user doesn't logout using the 'Logout' button, which would delete the username from the 'logged_in' table, how could I detect that the user is in fact no longer on site and then delete their username from the 'logged_in' table? For example, the user might just close his browser and go home.....which would kill he cookie, but would leave their username in the 'logged_in' table, which would prevent them from logging in next time?

Perhaps I'm approaching this wrong?

Thanks,
Neil

[Jessica]

You sorta have to trust people to not give out their login info. Why would they?

[dgiberson]

How I handle timeouts is this... In my activeUsers table I store their ID, IP Address, Last Active (TimeStamp), Expires (TimeStamp). This way I can query the db to prevent multiple instances, it updates the table (last active & expires) when they move around the site. So if they don't explicitly logout and just walk away from their computer when an attempt to login/move around the site using that username occurs, I can check against the user to see if their session has expired and force them to login again.

[realjumper]

Yep, that's one way that I hadn't thought of that would work....not sure that this is the best option for what I'm doing, but it certainly helps. Thanks :)

[realjumper]

jesirose:

Well, the login is to access applications that are available to our students on or off campus. Someone, from not at this educational facility, has expressed interest in his students also using some of our applications, and I don't trust that he won't give his login details to others in order to access the applications...which could put a heavy load on our server. I can't deny him access as he is a part time tutor here, as well as a part time tutor at another faclity. The solution is to only allow each user to be able to log in once...but I can figure out how to reset them as logged out if they just close their browser rather than hit the 'Log Out' button....which will happen for sure, I do it myself!!

[Jessica]

It might be easier to just catch him at it instead of try to prevent it. Log the IP addresses and times, and then analyze it. If people are logging in from different IPs at the same time with his info, he broke the rules, and then can be dealt with.
Thats how I'd approach it - seems easier.

[The Little Guy]

You should save login information about the person in a database.

Save there

-session id
-username
-userid
-logindate
-etc. etc. etc.

When someone goes to login, you will need to check if they have an active login already in the database if they do, then they need to close there login.
You will also need to check if the session id is still existant, if not, you will need to delete it from the database otherwise the user will only be able to login one time.

[dgiberson]

realjumper, I had the same issue with a corporate product, the only way I have ever found to effectively handle it was the solution I came up with, take it for what it's worth but in combination with my system's access logs, I've never had an issue, I can track people down to login locations, request pages, querystring information, date/time, records they affected, you name it..... Had to do it in order to get SOX compliance.

[realjumper]

Okay....thanks everyone. I'll have a play around with your suggestions and see what I come up with :)