0

I have a website that needs a username and password to access but I need to make sure that the user can only log on to the site from one computer at a time.

At the moment it is configured so that when the user logs in an value in the database is changed to 1 and when they log out it is changed to 0. If someone else tries to log in from another computer and the value is 1 they are informed that the user account is in use elsewhere.

This works great unless the original user doesn't log out, if they just close the browser the value stays as 1 meaning no one can now log in to that account.

Things I have considered...

  1. php session timeout - the nature of the website means that user will have the page open for extended periods of time to view without actually doing anything. The system is set to log the user out automatically if no browser activity is detected for an hour. This means that the user won't be able to log in from another machine for as long as hour after closing the browser.

  2. give the user the ability to end the session on the other machine - when the user logs in their ip address is stored in the database and each time they do something their ip address is compared to the one in the database. If it doesn't match the user is sent to the home page and advised that someone else has taken over their account and they have been logged out. This won't work because the site will be mainly used on machines on networks and after much searching I have come to the conclusion I cannot identify unique machines on the network using either php or javascript.

  3. Changing value in database using ajax call using body onunload() - isn't supported by chrome which is a browser used by most of my users.

Can anyone recommend either a way of uniquely identifying a machine (perhaps by using cookies) or a strategy that they have used or know of that can be used to accomplish this task?

tatty27
  • 1,553
  • 4
  • 34
  • 73
  • Possible [duplicate of this](http://stackoverflow.com/questions/4122033/ensure-web-app-access-from-a-single-computer-per-user), or [this](http://stackoverflow.com/questions/16220305/keeping-accounts-restricted-to-1-per-user-php?rq=1). – halfer May 25 '14 at 14:39
  • 1
    Look into database sessions - if a user logs in, revoke any existing sessions in the database for them, and check for session validity for every page view. – halfer May 25 '14 at 14:43

1 Answers1

1

Give the user a new randomly generated token each time they log-in. This token will be used for authentication for all the user's requests. When the user logs in, their token will be set in the database and overwrite and old token.

Take the follow example:

  1. User logs in on machine A. Gets a token and is able to work with the server.
  2. User then logs in on machine B. Get a token, and the token from machine A is overwritten in the database.
  3. User on machine A makes a request, but the token is no longer recognized - requests only work from machine B now.
Martin Konecny
  • 57,827
  • 19
  • 139
  • 159