Hello,
There's a site with registered users area, they all have their own user/pass.
The problem is, some of then try to share the authentication info with others to help them finish their job.
There's no posibility to restrict by ip adress because there's a dynamic-ip provided for everyone.
What could be the best solution? store sessions in the database? how to restore if they don't logout properly?
Thanks
If some people are sharing their ilogin/password then there is little you can do.
You could detect that someone is connected from two different locations and then close both sessions, but that wouldn't solve the full problem.
I agree with Loïc Février that there is little you can do when they are sharing logins.
If you really want to restrict user access from multiple locations, when you detect 2 sessions of the same user you could send some sort of a code/passkey thru email and only the real owner of the account could continue.
There is no particularly efficient way. That said, one technique could also be to use a DB to store the last IP used to sign in on an account, ping the DB every X amount of time and if the client IP doesnt match the last IP used to login, end their session..
You could also track IPs used to access an account, and limit each user to say, three. If they want another (as may legitimately happen), or if they exceed this amount- you have to be contacted/approve. This is a passive method, but will ensure you are notified over suspected account sharing..
Business solution
Make guidelines that it's not allowed to share logins to anyone. Track all login operations and if you see concurrent access, block the user.
a) The blocked user will call you, crying his login won't work: Give second and last chance. If it's not taken -> tell the boss. If you're the boss -> fire.
b) The blocked user will not call you. I wonder how he could work now. -> tell the boss. If you're the boss -> fire.
Programming solution
On the login screen, set a flag (the IP address?) in the database that the user is logged in at the moment. On logout, reset the flag. If the user is logged in, don't allow login. If the user does not log out correctly, the flag will still be set. So define a timeout for the flag to. About 5 min should be OK. It would be no gain for anyone to share login, as he would always have to login again, when you perform a check on every page access.
I usually let them ping-pong: A custom session_save_handler which stores the session in a database, with an extra field for user-id (session_id char, session_data blob, session_user int or char). A successful login-attempt destroys / deletes all other other sessions with that specific user-id, and you could even log the number of times this DELETE statement actually deletes rows, with a counter somewhere to block people clearly excessively 'deleting' sessions. People switching computers / locations / browsers still can get work done instantly after login, users sharing authentication will keep on logging each other out, and increasing your counter until some arbitrary limit you deem appropriate, in which case you can disable / lock out the account.