4

I want to restrict multiple logins of the same user from different locations. How can I identify a user's multiple logins from different locations in the same/recent times? I think some flags and IP checking in a table might be a possible solution, but are there any better solutions?

Update: I think the session or cookie might help if it for a single machine. Like when users log in for the first time create an activation key and store it, and every other time when users login to that machine, check the cookie value. likewise.

arun
  • 3,667
  • 3
  • 29
  • 54
  • possible duplicate of [PHP Session Security](http://stackoverflow.com/q/328/), [What is the best way to prevent session hijacking?](http://stackoverflow.com/q/22880/90527) – outis Apr 19 '12 at 09:21

5 Answers5

4

I would resolve something like that by making in user table, a activeKey column. Everytime user is logging in the activeKey is changed ( simple way subchar(md5(time().$username), 0, 16)), and and store it in session. Every time the webpage is refreshed/entered key would be checked. If dosn't match then logout with info. On correct logout key would be set to NULL, so when it could give a flag.

This metod could be combined with IP address, but only IP address could be cheated, same with MAC, and so on.

That is a main idea. There could be additional data like last login date, IP last login date, and so on.

pawel-kuznik
  • 437
  • 4
  • 11
  • i think the session or cookie may help(for a single machine), like for first login creating a activekey and sore it into that machine for first login, and everytime the user login in that machine check these cookie value too.. so if either he uses proxy it can helpful for identifyng the user.. isn't? i/m not sure it will produce any security problems or something? – arun Apr 19 '12 at 09:46
  • cookie? Don't know if that is a good way, since user would have to log on everytime from one device. I think that problem here is that to don't allow user be logged in on two devices at same time, so It would auto logout from older device. If You want to limit user to only one machine thet You could go with cookie, but when user deletes cookie it deletes the info about him. Or not... Maybe there is a way to force specific cookie, but then it dosn't matter if cookie is defined or not. Sacurity? Well, you could send cookie to not correct person, I think. – pawel-kuznik Apr 19 '12 at 10:11
  • If the active key is changed, then the newly logged in user is the one who stays and the old one is logged out. Supposing your account is compromised, you wouldn't want someone else to kick you out of your account, would you? – NVG Oct 01 '15 at 13:44
3

You can have a table containing the IDs and the IP addresses of the users that are currently logged in. Just check against this table everytime someone logs in.

nico
  • 50,859
  • 17
  • 87
  • 112
  • 1
    yeah. me too think this,. but any other solutions too? here may occur some problem like,consider the situation like the user may use proxy or something .. so IP checking may fail upon this – arun Apr 19 '12 at 09:13
  • This is probably your best bet. In case of failed IP check, just save "unknown" - its unlikely 2 people with proxy will attempt to login at same time. Also, remember your can IP check with several values - forwarded_for & remote_addr. You will also need to save time stamp & decide on a way to logout after inactivity – RiquezJP Apr 19 '12 at 09:27
  • IP adress could be easily cheated. Same for most klient info. It would have to be managed by server. – pawel-kuznik Apr 19 '12 at 09:30
  • @neosatan: it doesn't really matter if someone spoofs the IP address, it would still result that someone else is logging in somewhere else. The user id is the important bit, and that is not spoofable. – nico Apr 19 '12 at 09:36
  • Yeah. Understand, but what if there could be only one device per user logged at same time? then user could spoof their own address to produce effect that he is logged once. I really depends what are exact conditions of this identification. – pawel-kuznik Apr 19 '12 at 10:14
  • @neosatan: OK, I did not think of that case. I thought he rather wanted to avoid someone to log in as another user, but it's true that sometimes you may want to avoid 2 logins for the same person. – nico Apr 19 '12 at 14:39
2

Here's a solution that doesn't require constant database access to work...

(which will avoid the requirement to check the session_id() against the database value every time you request/refresh a page, relieving db/server stress)...

1. On login, grab the pre-existing session_id stored in the DB for this user and do this:

session_id("the pre-existing session id in the database goes here");
session_start();
session_destroy();

2. Then start a new session and save this new session_id to the database, overwriting the previous one. This will logout the previous session on this user if there is one active (effectively logging out the other guy using this account).

Give it a try and let me know if that does the trick!!

NOTE: This is "in theory" as I haven't yet tried it. It's based on this accepted stackoverflow answer. And you should probably manually create the session_id based on something unique to each user, that way you don't wipe out a session that someone else is using that happened to be the same as the session last used by the user you are doing a check for.

Community
  • 1
  • 1
prograhammer
  • 20,132
  • 13
  • 91
  • 118
1

I think, just have extra 2 columns for each user - "LastLoginTime" and "IPAddress" in your Users table. If the duration is too short and IPAddress vary then you can give a warning to the user. Additionally you can also inform the City & Country from which the user is logged in.

Gautam Jain
  • 6,789
  • 10
  • 48
  • 67
0

I would add in the users table an ipAddress column, a LastLogin date column, LogStatus column with boolean values (actually MySQL uses 1/0 for boolean) to check if the user is logged in or not, a Country column (although this could be bypassed by using proxy), and a blockedStatus column, again with 1/0 values, that would check if the user is blocked or not.

Then at log in page, you'd check if the user is logged in then he can't login, if he was recently logged in, and the country is different, then something is happening and you would need to block the account and send a email with a link to unblock the account if the legitimate user was the one logging in.

davidaam
  • 443
  • 1
  • 8
  • 17
  • There is supposedly a way to find sometimes the real ip behind proxy http://www.vision.to/get-a-real-ip-vs-proxy.php I haven't tried it but I think this would at least help a bit – davidaam Apr 19 '12 at 09:31