9

I would like to make my website to allow only one session at a time. For example, let say user has login to my website on firefox, if the user login again to another browser like opera on the same computer or different computer, the session on firefox will be destroyed. However, the session on firefox remained if it remains as one session. May I know how can I do that? I am using php and apache. Thank you.

Regards. Benjamin

davidlee
  • 5,611
  • 17
  • 56
  • 82
  • Can you explain it little more, do you mean you want same user can login to different computer at the same time ?. please correct me if i am wrong. – Chetan Sharma Jul 02 '10 at 09:27
  • @Chetan: I think he wants the opposite – Bart van Heukelom Jul 02 '10 at 09:29
  • The post by *john at host89 dot net* on the [PHP session_destroy](http://php.net/manual/en/function.session-destroy.php) page might help. – Mike Jul 02 '10 at 09:34
  • @Bart van Heukelom: Thanks, Then i will suggest it should go through the database to keep login centralized. – Chetan Sharma Jul 02 '10 at 09:34
  • @Chetan I want one user to login to one computer at the same time. However, let say if the user close the firefox browser, but dint login my website on any other browser on the same or different computer, the session on firefox that that computer remains when he open back the browser. got any clue? thanks. – davidlee Jul 02 '10 at 10:33
  • @benmsia Okay i got it now, Then I'll suggest you to use the Cookie and saving the login status in database. Check here:: http://stackoverflow.com/questions/3164507/allow-one-session-only-at-a-time/3170660#3170660 – Chetan Sharma Jul 03 '10 at 07:27

6 Answers6

11

I'll suggest you to do something like this:

Suppose when user "A" loges in to the "Com_1", for the first time. Save a unique code in the database against that session, and same with the user session.

At the mean time if he (user "A") loges in again on "com_2", then check his status in the database and update the unique code in the database.

again back if same user (user "A") refreshes the page on "com_1", we all you need to do is check the unique code from the session and match it to the database, It is for sure it will not match, then log it out and destroy the session.

For keeping the user loggedin, even if browser is closed, you can store the cookie on the browser, and re-generate the session accoordingly.

Hope this helps. Thank you.

Chetan Sharma
  • 2,539
  • 5
  • 25
  • 41
5

You can use the following algorithm

  1. create an integer field in the databse userLoggedInCount
  2. On each login increment that flag and store the result in the session.
  3. On each request check the value in the database and the one in the session, and if the one in the session is less than the one in the DB, invalidate() the session and decrement the value in the database
  4. whenever a session is destroyed decrement the value as well

Credits to Bozho because he posted this, answering to a question here

Community
  • 1
  • 1
pakore
  • 11,395
  • 12
  • 43
  • 62
  • yes. more of the same scenario. but can't find solution there. thks. – davidlee Jul 02 '10 at 10:45
  • @ben why not, what's the problem? – Pekka Jul 02 '10 at 10:47
  • This algorithm might not be sufficient. The theory is perfect, but in the practice, it won't work if the browser saves the session in a cookie and restores it back from it. Take a look to Step 2. If, as I said, the browse restores the session automatically, it won't pass through any LoginHandler or LoginMethod or any controllable place to perform the increment of that flag. How to act in this case? – ElPiter Dec 29 '12 at 14:03
3

Keep a central database table or text file of who is logged in at the moment. If a user is already logged in in another session, invalidate that session by setting the "logged in" flag to false.

Pekka
  • 442,112
  • 142
  • 972
  • 1,088
  • I think the idea is to *allow* the user to log in to another browser, and destroy the already-open session. Unless I have misunderstood, your idea is to prevent the new login? – Mike Jul 02 '10 at 09:32
  • @Mike Good point, will update the answer a bit. Both things will be easily possible to do with a central registry. – Pekka Jul 02 '10 at 09:34
  • @mike thanks for the reply. My idea is not to prevent the new login, however is to destroy the existing session if new login by the same user is found on different browser on the same computer or any browser on different computer. thanks. – davidlee Jul 02 '10 at 10:42
  • @ben this can be done using a central registry where you can keep a "logged in" flag for each session. As far as I can see, the answers provided outline good ways to get there. I think you need to go more into detail what doesn't work for you. – Pekka Jul 02 '10 at 10:48
3

I think you'd have to do something like that :

  • add a "last_session_id" column to your user table
  • when a user logs in, update its last_session_id field with its current session id
  • on each page, if the user has an authenticated session, check if the session id is equal to the one recorded in your database. If not, destroy this session.
Arkh
  • 8,416
  • 40
  • 45
1

Store session id in the database. retrieve last login session id from db, set session id using session_id(oldid) and change session variables related to authentication like $_SESSION['LOGIN'] and destroy the session and create new session with new session id. follow example for logic https://www.php.net/manual/en/function.session-create-id.php. this will make the last login allowed. validate on each page session variables related authentication. this makes it session invalid because of this session_id reset by a new login.

PLASMA chicken
  • 2,777
  • 2
  • 15
  • 25
Prasad Raju
  • 11
  • 2
0

Save users' IP=>SESSION_ID pairs in a database. When user try to load your page you must compare the actual IP=>SESSION_ID pair then allow/deny if the pair is ok/different.

fabrik
  • 14,094
  • 8
  • 55
  • 71