How do I prevent a user from logging in from 2 locations at the same time?

Question

How do I prevent a user from logging in from 2 locations at the same time? A username and password can only be used by 1 person at the same time.

Please send me the code in PHP.

Answer 1

Keep a field in the database that keeps track of active sessions. We can give you other pointers, but without more effort and information on your part, it's impossible to provide code.

Answer 2

if (!$user->hasOpenSession()) {
 $user->login();
} else {
 $context->forwardToForbidden();
}

Answer 3

Update the users table on login with the the ip address and login time. Clear the ip on session timeout or if the user logs out. Check this ip address upon login to make sure its matches up. Only check $_SERVER['remote_addr'], you don't want to look at x-forwareded-for because that could be anything.

Answer 4

The problem with restrictions based on the IP address with which the user logged on is that, in some cases, it could be the same legitimate user from the same machine/browser but with distinct IP addresses.

One case (quite rare I suppose) could be a pool of HTTP proxies that would use distinct IP addresses to make requests to your server (even though the actual user/browser/machine is the same). Another case, which I think we might see more and more, is the case of mobile devices: a mobile device could potentially travel and re-associate with difference access points and networks, therefore jumping from one IP address to another. In this case, you'd have to force your user to log-on again every time. I'm not sure how big this problem is at the moment, but that could be possible for people travelling on trains or similar (depending on how they access their network).

I think a better solution could consist of destroying any other sessions/authentication cookies you have for that user whenever they log on or log out (and perhaps implementing a time-out if they forget to log out).