0

I'm developing a website where I want to make some security procedure and I want to make sure that only one user can log into his account from only one computer.

So, any ideas how can I handle this with php or even javascript code?

Note : I tried to use $_SERVER['REMOTE_ADDR'] but the IP isn't stable.

BradByte
  • 11,015
  • 2
  • 37
  • 41
Slamnka
  • 122
  • 1
  • 16
  • WIthin the PHP, when the user logs in, save their IP or MAC address into whatever userAuth table you've got. Then, when next they log in, check if it's that same MAC address. Easiest way, I think. Also, if they haven't logged out of the last session, you can simply lock the second attempt at logging in. However... http://stackoverflow.com/questions/3385/mac-addresses-in-javascript – Snowmonkey Apr 26 '17 at 19:01
  • The real IP isn't stable , it changes , also I can't get Mac Address . – Slamnka Apr 26 '17 at 19:04
  • All right, when the user logs in, create an MD5 hash that is unique (say, hash username, datetime, whatever). Save that both locally in localStorage and on your server in the auth tables. If they don't match, it's a new session. – Snowmonkey Apr 26 '17 at 19:06
  • That is a good solution , but how can I store it locally ??? – Slamnka Apr 26 '17 at 19:08
  • http://stackoverflow.com/questions/3220660/local-storage-vs-cookies/3220802#3220802 will give you some pointers on localStorage (client-side), and the PHP database stuff should be pretty easy, simply adding another field to your tables. – Snowmonkey Apr 26 '17 at 19:11

1 Answers1

1

You can just add a column in users table (is_online). When user log in, set to true. On log out, set to false. You need work with sessions too. Save the user session to validate.

if ( user.is_online ){
    if ( user.session_id == this.session.id )
        //OK, same user log in.
    else
        //OPS, different sessions, other user log in.
}
else {
    //user log in first time
}

Sorry for the poor code, I don't code in php, but this verification must be server side.

@ UPDATE

If user left the website, without log out, you need add one more validation. Check if session status is active. If not, left is_online true and change session to new session. Learn more in session_status().

Maybe, you need run some cron to destroy inactive sessions. I don't know if this is the best option.

GIA
  • 1,400
  • 2
  • 21
  • 38
  • 1
    Good catch. The session.id is often an MD5, much as I described in my comments. Well said! – Snowmonkey Apr 26 '17 at 19:11
  • 1
    So if I don't actually log out, but just close my browser. Then I am no longer online, but I still cannot sign in elsewhere. That's a problem if the session is destroyed, then the user is "locked", because the DB thinks its online, but there is no matching session. – Qirel Apr 26 '17 at 19:36
  • Yes. With session_status in PHP, you get actual status of session. If false, user left the website without log out. – GIA Apr 26 '17 at 20:08