Allow one session only at a time

views:

answers:

+1 Q:

Allow one session only at a time

Dear all,

I would like to make my website to allow only one session at a time. For example, let say user has login to my website on firefox, if the user login again to another browser like opera on the same computer or different computer, the session on firefox will be destroyed. However, the session on firefox remained if it remains as one session. May I know how can I do that? I am using php and apache. Thank you.

Regards. Benjamin

+3 A:

Keep a central database table or text file of who is logged in at the moment. If a user is already logged in in another session, invalidate that session by setting the "logged in" flag to false.

Pekka 2010-07-02 09:28:06

I think the idea is to *allow* the user to log in to another browser, and destroy the already-open session. Unless I have misunderstood, your idea is to prevent the new login?

Mike 2010-07-02 09:32:36

@Mike Good point, will update the answer a bit. Both things will be easily possible to do with a central registry.

Pekka 2010-07-02 09:34:56

@pekka @mike thanks for the reply. My idea is not to prevent the new login, however is to destroy the existing session if new login by the same user is found on different browser on the same computer or any browser on different computer. thanks.

benmsia 2010-07-02 10:42:06

@ben this can be done using a central registry where you can keep a "logged in" flag for each session. As far as I can see, the answers provided outline good ways to get there. I think you need to go more into detail what doesn't work for you.

Pekka 2010-07-02 10:48:34

+3 A:

You can use the following algorithm

create an integer field in the databse userLoggedInCount
On each login increment that flag and store the result in the session.
On each request check the value in the database and the one in the session, and if the one in the session is less than the one in the DB, invalidate() the session and decrement the value in the database
whenever a session is destroyed decrement the value as well

Credits to Bozho because he posted this, answering to a question here

pakore 2010-07-02 09:29:08

yes. more of the same scenario. but can't find solution there. thks.

benmsia 2010-07-02 10:45:24

@ben why not, what's the problem?

Pekka 2010-07-02 10:47:15

Save users' IP=>SESSION_ID pairs in a database. When user try to load your page you must compare the actual IP=>SESSION_ID pair then allow/deny if the pair is ok/different.

fabrik 2010-07-02 09:30:46

I think you'd have to do something like that :

add a "last_session_id" column to your user table
when a user logs in, update its last_session_id field with its current session id
on each page, if the user has an authenticated session, check if the session id is equal to the one recorded in your database. If not, destroy this session.

Arkh 2010-07-02 10:38:53

+1 A:

I'll suggest you to do something like this:

Suppose when user "A" loges in to the "Com_1", for the first time. Save a unique code in the database against that session, and same with the user session.

At the mean time if he (user "A") loges in again on "com_2", then check his status in the database and update the unique code in the database.

again back if same user (user "A") refreshes the page on "com_1", we all you need to do is check the unique code from the session and match it to the database, It is for sure it will not match, then log it out and destroy the session.

For keeping the user loggedin, even if browser is closed, you can store the cookie on the browser, and re-generate the session accoordingly.

Hope this helps. Thank you.

Chetan sharma 2010-07-03 07:17:05

ansaurus

tags:

views:

answers:

Allow one session only at a time

related questions