Limit Session Authentication

[bschultz]

Hi,

 

I have a php authentication script that checks against a MySQl database for login info.  Upon a correct login, a session is started.  Is there anyway to limit the authentication to one username at a time?  So that when user1 logs in...and someone else tries to use user1's username and password to access the page as well, it doesn't authenticate, or start the session.

 

Thanks.

 

[bschultz]

I should add that the session ends when the browser closes...so no cookies.  Thanks.

[btherl]

That information is best stored in mysql.  You could add it to the user table, for example.  You will need a method to detect situations such as user1 being logged in from home and forgetting to logout, then logging in from work (if such a situation will happen for your system).

[bschultz]

The problem is, I'm authenticating against a shopping cart DB.  I want to authenticate certain pages based on whether or not the person purchased the subscription...since it's a cart DB, I can't add any extra fields.

[btherl]

You can add an additional table, indexed by user id.  Eg.

 

CREATE TABLE logged_in (
  user_id integer PRIMARY KEY,
  last_logged_in DATETIME,
);

 

Then, you can check the time they were last logged in from there, and make a choice about whether or not to allow a new login from a new location.  The hardest part to deal with is that people usually don't logout when moving from location to location, so you need to be able to time out sessions after a while.  That's why you need to store the time of the last login, and not just whether or not the user is logged in.

 

Or you can store the data in a text file, if you prefer that.  As long as the data is stored on the server, it really doesn't matter where

[bschultz]

There is no cookie...the session ends when the user closes the browser so there is no logout feature.  I'm trying to authenticate people to a subscription to a college sports play-by-play audio stream.  Games can be 3 1/2 hours...makes it hard to log someone out without their interaction.

[btherl]

Even if you change it, how can you force every user to logout?  A shopping cart is one of the places users are least likely to logout when their session is finished.  They will just browse somewhere else.

 

What do you mean by "There is no cookie"?  I didn't mention cookies.

[bschultz]

Sorry...when I think "logout" I think cookies.  Since the session ends on a browser close, I was hoping to limit a parent from giving a grandparent their login info and both being able to listen when only one of them pays for it.