Jump to content

Prevent Multiple logins

andrew_ww

By andrew_ww
in PHP Coding Help

 Share

Recommended Posts

andrew_ww Member

andrew_ww

Posted
Posted

Hello,

 

Does anybody have examples of how I can stop multiple users from logging on with the same credentials ?

 

The login script that I use is shown below:

 

Many Thanks.

 

Andy.

 

 

<?php 
// Check username and password exist
if(isset($_REQUEST['login_submit'])) {
$user = trim($_REQUEST['username']);
$pass = trim($_REQUEST['password']);
$query_users = "SELECT * FROM tbl_users WHERE user_name = '$user' AND user_pass = '$pass'";
//$rs_users = mysql_query($query_users);
$rs_users = mysql_query($query_users) or die("Query failed: $query_users. <br />MySQL error was : " . mysql_error());
$row_users = mysql_fetch_assoc($rs_users);
$personExists = mysql_num_rows($rs_users);
if($personExists) {
	$_SESSION['authenticated'] = $row_users['user_id'];
	$_SESSION['session_username'] = $row_users['user_name'];
	$_SESSION['session_access_level'] = $row_users['access_level'];
	header("location: user/");
} else {
	header("location: index.php?notification=badlogin");
}
}

// If session is registered redirect to user page
if(isset($_SESSION['authenticated'])) {
header("location: user/");
}
// Check for notification messages and output
if(isset($_REQUEST['notification'])) {
$message = '<div id="notifications">'."\n";
switch($_REQUEST['notification']) {
	case ('badlogin') :
		$message .= "Sorry\n";
		$message .= "The details you provided didn't match any user on this site.\n";
	break;
	case ('loggedout') :
		$message .= "<p>You have been logged out.</p>\n";
	break;
	case ('pleaselogin') :
		$message .= "Sorry\n";
		$message .= "You must provide your user details to view your page.\n";
	break;
}
$message .= '</div>'."\n";
}
?>

Link to comment
Share on other sites
trq Prolific Member

trq

Posted
Posted

You would need to log logged in users into a table along with a timestamp, then as a user loggs in, check that table to see if they are already logged in.

 

You'll also need to update this timestamp on each request as well as setup a cron to run every 5 minutes or so to delete old (inactive / logged out) users.

 

Sorry, but there really is no simple solution.

Link to comment
Share on other sites
andrew_ww Member

andrew_ww

Posted
  • Author
Posted

Thanks for the ideas.  I've come up with this which I think is the right right way of going about it.  At first I check to see if the user name and password match, if it does it then goes on to check that the current session id does not match, if it does then it displays an error message.

 

The code is not working correctly as I'm always getting the error message - does anything look out of place ?

 

<?php
// Get MySQL connection
require_once('Connections/connection.php');
// Begin session
if (!isset($_SESSION)) {
  session_start();
}

// Check username and password exist
if(isset($_REQUEST['login_submit'])) {
      $user = trim($_REQUEST['username']);
      $pass = trim($_REQUEST['password']);
      $query_users = "SELECT * FROM tbl_users WHERE user_name = '$user' AND user_pass = '$pass'";
      //$rs_users = mysql_query($query_users);
      $rs_users = mysql_query($query_users) or die("Query failed: $query_users. <br />MySQL error was : " . mysql_error());
      $row_users = mysql_fetch_assoc($rs_users);
      $personExists = mysql_num_rows($rs_users);
      if($personExists) {
      
      $result = mysql_query('SELECT COUNT(*) FROM tbl_logged_user WHERE sessionID='.mysql_real_escape_string(session_id())."'"); 
      $login_status = mysql_result($result,0,0); 

if (0 == $login_status) { 

$_SESSION = array(); //destroy the variables 
session_destroy(); //destroy the session itself 
setcookie(session_name(), '', time()-300, '/', '', 0); //destroy the cookie 
echo 'Multiple Login Detected'; 

}
      
      
      //add the details of a successfull login to the database.
      $this_session = session_id();
      $sessionuser = $_SESSION['session_username']; 
        $sql1 = "INSERT INTO tbl_logged_users SET";
      $sql1 .=" sessionID='$this_session'";
      $sql1 .= ", user_name='$sessionuser'";
      $Result1 = mysql_query($sql1) or die($sql1."<br />". mysql_error());
      
            header("location: user/");

      } else {
            header("location: index.php?notification=badlogin");
      }
}

// If session is registered redirect to user page
if(isset($_SESSION['authenticated'])) {
      header("location: user/");
      

}
// Check for notification messages and output
if(isset($_REQUEST['notification'])) {
      $message = '<div id="notifications">'."\n";
      switch($_REQUEST['notification']) {
            case ('badlogin') :
                  $message .= "Sorry\n";
                  $message .= "The details you provided didn't match any user on this site.\n";
            break;
            case ('loggedout') :
                  $message .= "<p>You have been logged out.</p>\n";
            break;
            case ('pleaselogin') :
                  $message .= "Sorry\n";
                  $message .= "You must provide your user details to view your page.\n";
            break;
      }
      $message .= '</div>'."\n";
}
?>

Link to comment
Share on other sites
per1os Member

per1os

Posted
Posted

Thanks for the ideas.  I've come up with this which I think is the right right way of going about it.  At first I check to see if the user name and password match, if it does it then goes on to check that the current session id does not match, if it does then it displays an error message.

 

The code is not working correctly as I'm always getting the error message - does anything look out of place ?

 

<?php
// Get MySQL connection
require_once('Connections/connection.php');
// Begin session
if (!isset($_SESSION)) {
  session_start();
}

// Check username and password exist
if(isset($_REQUEST['login_submit'])) {
      $user = trim($_REQUEST['username']);
      $pass = trim($_REQUEST['password']);
      $query_users = "SELECT * FROM tbl_users WHERE user_name = '$user' AND user_pass = '$pass'";
      //$rs_users = mysql_query($query_users);
      $rs_users = mysql_query($query_users) or die("Query failed: $query_users. <br />MySQL error was : " . mysql_error());
      $row_users = mysql_fetch_assoc($rs_users);
      $personExists = mysql_num_rows($rs_users);
      if($personExists) {
      
      $result = mysql_query('SELECT COUNT(*) FROM tbl_logged_user WHERE sessionID='.mysql_real_escape_string(session_id())."'"); 
      $login_status = mysql_result($result,0,0); 

if (0 == $login_status) { 

$_SESSION = array(); //destroy the variables 
session_destroy(); //destroy the session itself 
setcookie(session_name(), '', time()-300, '/', '', 0); //destroy the cookie 
echo 'Multiple Login Detected'; 

}
      
      
      //add the details of a successfull login to the database.
      $this_session = session_id();
      $sessionuser = $_SESSION['session_username']; 
        $sql1 = "INSERT INTO tbl_logged_users SET";
      $sql1 .=" sessionID='$this_session'";
      $sql1 .= ", user_name='$sessionuser'";
      $Result1 = mysql_query($sql1) or die($sql1."<br />". mysql_error());
      
            header("location: user/");

      } else {
            header("location: index.php?notification=badlogin");
      }
}

// If session is registered redirect to user page
if(isset($_SESSION['authenticated'])) {
      header("location: user/");
      

}
// Check for notification messages and output
if(isset($_REQUEST['notification'])) {
      $message = '<div id="notifications">'."\n";
      switch($_REQUEST['notification']) {
            case ('badlogin') :
                  $message .= "Sorry\n";
                  $message .= "The details you provided didn't match any user on this site.\n";
            break;
            case ('loggedout') :
                  $message .= "<p>You have been logged out.</p>\n";
            break;
            case ('pleaselogin') :
                  $message .= "Sorry\n";
                  $message .= "You must provide your user details to view your page.\n";
            break;
      }
      $message .= '</div>'."\n";
}
?>

 

What is the error message, that would help.

Link to comment
Share on other sites
trq Prolific Member

trq

Posted
Posted

if there are results found in your query would mean there already logged in. yove got it around the other way I'm sure. Try...

 

<?php

  if ($result = mysql_query('SELECT id FROM tbl_logged_user WHERE sessionID='. session_id()) { // you can assume session_id() to be safe.
    if (mysql_num_rows($result)) {
      $_SESSION = array(); //destroy the variables 
      session_destroy(); //destroy the session itself 
      setcookie(session_name(), '', time()-300, '/', '', 0); //destroy the cookie 
      echo 'Multiple Login Detected'; 
    }
  }

?>

Link to comment
Share on other sites
andrew_ww Member

andrew_ww

Posted
  • Author
Posted

I've tried adding your code in my page however when I run all I get is a blank page - no errors - If I remove your code then the page is shown as expected.  I imagine I missed a comma or simple however I'd appreciate another pair of eyes as I've been throuogh it and can find nothing wrong:

 

Code:

<?php
// Get MySQL connection
require_once('Connections/connections.php');
// Begin session
if (!isset($_SESSION)) {
  session_start();
}


if(isset($_REQUEST['login_submit']))
{
$user = trim($_REQUEST['username']);
$pass = trim($_REQUEST['password']);
$query_users = "SELECT * FROM tbl_users WHERE user_name = '$user' AND user_pass = '$pass'";
$rs_users = mysql_query($query_users) or die("Query failed: $query_users. <br />MySQL error was : " . mysql_error());
$row_users = mysql_fetch_assoc($rs_users);
$personExists = mysql_num_rows($rs_users);

	if($personExists)
	{

		if ($result = mysql_query('SELECT user_ID FROM tbl_logged_user WHERE sessionID='. session_id())
		{
			if (mysql_num_rows($result))
			{
	    		$_SESSION = array(); //destroy the variables 
            		session_destroy(); //destroy the session itself 
				setcookie(session_name(), '', time()-300, '/', '', 0); //destroy the cookie
				echo 'Multiple Login Detected'; 
			}
		}

		$this_session = session_id();
		$sessionuser = $_SESSION['session_username']; 
  			$sql1 = "INSERT INTO tbl_logged_users SET";
		$sql1 .=" sessionID='$this_session'";
		$sql1 .= ", user_name='$sessionuser'";
		$Result1 = mysql_query($sql1) or die($sql1."<br />". mysql_error());

		header("location: user/");

	} 

	else 
	{
	header("location: index.php?notification=badlogin");
	}
}

// If session is registered redirect to user page
if(isset($_SESSION['authenticated'])) {
header("location: user/");


}
// Check for notification messages and output
if(isset($_REQUEST['notification'])) {
$message = '<div id="notifications">'."\n";
switch($_REQUEST['notification']) {
	case ('badlogin') :
		$message .= "Sorry\n";
		$message .= "The details you provided didn't match any user on this site.\n";
	break;
	case ('loggedout') :
		$message .= "<p>You have been logged out.</p>\n";
	break;
	case ('pleaselogin') :
		$message .= "Sorry\n";
		$message .= "You must provide your user details to view your page.\n";
	break;
}
$message .= '</div>'."\n";
}

// Code for tracking visitor details
  	$dateTimePageOpened = date("Y-m-d H:i");
  	$pageOpened = $_SERVER['REQUEST_URI'];
  	$ipaddress = $_SERVER['REMOTE_ADDR'];
  	$sessionvar = $_SESSION['authenticated'];
$sessionuser = $_SESSION['session_username'];
$referer = $_SERVER['HTTP_REFERER'];
$accessLevel = $_SESSION['session_access_level'];
  	$sql = "INSERT INTO tbl_log SET";
$sql .= " dateTimeOpened='$dateTimePageOpened'";
  	$sql .= ", page='$pageOpened'";
  	$sql .= ", ipaddress='$ipaddress'";
$sql .= ", sessionvar='$sessionvar'";
$sql .=", username='$sessionuser'";
$sql .=", referer='$referer'";
$sql .=", access_level='$accessLevel'";
$Result = mysql_query($sql) or die($sql."<br />". mysql_error());

?>

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.